Book a demo Start free
NAT gateways

How NAT Gateways Work

How NAT gateways translate private addresses to public ones, why RFC 1918 ranges need translation, port-mapping limits, and what the gateway costs you.

2 min read

A NAT gateway is the component that lets resources in a private subnet reach the internet without being reachable from it. It does that by translating private IP addresses to public ones on the way out, and back again on the way in. Understanding the mechanics makes the cost model and its alternatives far easier to reason about.

Why translation is needed at all

Private subnets use addresses from the ranges reserved by RFC 1918, the IETF standard for internal networking. There are three:

  • 10.0.0.0/8 — suited to large networks
  • 172.16.0.0/12 — common in medium-sized networks
  • 192.168.0.0/16 — popular for home and small-business networks

These addresses cannot route on the public internet. A packet with a 10.x.x.x source has nowhere to go once it leaves your network — so something has to swap that source for a routable public address. That something is the NAT gateway.

The translation process

NAT gateways perform Source Network Address Translation (SNAT):

  1. A private resource initiates an outbound request.
  2. The gateway replaces the private source IP with its own public IP.
  3. It assigns a unique source port so multiple connections can share one public address.
  4. The request reaches the destination server, which sees only the public IP.
  5. The response comes back to the gateway, which maps it to the original private address and forwards it on.

The destination never sees — and cannot initiate a connection to — the private resource. That one-way property is what makes NAT a security control as well as a connectivity one.

Port-mapping capacity

Each public IP supports up to roughly 64,000 unique source ports. Because a port identifies each tracked connection, a single public IP caps the number of simultaneous outbound connections it can multiplex. High-traffic environments that need 100,000+ concurrent connections assign multiple public IPs to spread the load.

What it costs

A managed NAT gateway bills on two lines:

  • An hourly usage fee for running the gateway.
  • A per-GB data-processing charge on the traffic it handles.

The per-GB charge is the one that scales with your workloads, and it applies to every byte regardless of whether the gateway did anything other than translate an address. Managed gateways also cannot simply be toggled off when idle without deleting and re-provisioning them, so the hourly charge runs whether you are using the gateway or not.

Where Enforza fits

Enforza provides the same secure outbound NAT, but as a single firewall instance on flat per-firewall pricing — no per-GB data-processing tax — and it adds egress, ingress and east-west filtering plus identity-aware hostname (FQDN) rules in the same place. See the secure NAT gateway page for how the replacement works, or Reducing Cloud NAT Costs for the full cost comparison.

← Back to all articles
Same features. Without the cost.

Ditch the data-processing charges.

Flat, per-firewall pricing — and no per-GB data-processing charges, ever. The same egress filtering, identity-aware L7 and NAT, in any cloud or on-prem. Start free, no card.

Start free See your savings