Where traffic inside a VPC goes is decided by Route Tables. Exits to the public internet are split between two gateways: IGW handles bidirectional traffic, NAT handles outbound only.

Route Tables

A Route Table is a set of routing rules attached to a VPC or a Subnet. Each rule pairs a destination CIDR with a next hop (target), telling traffic where to go.

Matching is by longest prefix. A more specific CIDR rule wins. If both 0.0.0.0/0 (the default route) and 10.0.5.0/24 exist and a packet’s destination is 10.0.5.42, the 10.0.5.0/24 rule is chosen.

A Local route is added automatically when a VPC is created. It points to the VPC’s full CIDR, so resources inside the same VPC can communicate without any extra configuration. The Local route cannot be deleted.

flowchart LR
    Pkt["Packet
destination: 8.8.8.8"] --> RT["Route Table"]
    RT -->|"10.0.0.0/16
(local)"| Local["Inside VPC"]
    RT -->|"0.0.0.0/0
(default)"| Out["IGW or NAT"]

Internet Gateway (IGW)

The Internet Gateway is the component responsible for bidirectional traffic between a VPC and the public internet. A VPC can attach only one IGW, and external traffic flows only when one is attached.

Reaching a resource from outside requires two conditions together. The resource must have a Public IP or Elastic IP attached, and the Subnet it sits in must have a Route Table with a default route pointing to the IGW. Satisfying only one is not enough.

NAT Gateway

A NAT Gateway is an outbound-only exit. It is used when resources in a Private Subnet need to reach the public internet but must not be reachable from the outside directly.

The NAT Gateway itself sits in a Public Subnet, because NAT eventually has to push traffic out through the IGW. The Private Subnet’s Route Table points its default route at the NAT Gateway, and the NAT translates traffic onto its own Public IP before forwarding it.

Connections initiated from outside cannot pass through the NAT, so Private resources interact with the outside only outbound. The NAT’s asymmetry becomes the security benefit itself. Note that NAT Gateways are billed per hour and per byte, which makes them a cost concern for outbound-heavy workloads.

Public Subnet vs Private Subnet

Public Subnet and Private Subnet are not properties of the Subnet itself. They are the result of routing rules.

  • Public Subnet: a Subnet whose Route Table has a default route pointing to the IGW
  • Private Subnet: a Subnet whose default route points to a NAT, or has no default route at all
flowchart LR
    subgraph Public ["Public Subnet"]
        VM_P["VM (Public IP)"] -.-> RT_P["Route Table
0.0.0.0/0 → IGW"]
    end
    subgraph Private ["Private Subnet"]
        VM_R["VM"] -.-> RT_R["Route Table
0.0.0.0/0 → NAT"]
    end
    RT_P --> IGW["IGW"]
    RT_R --> NAT["NAT Gateway"]
    NAT --> IGW

Two Subnets in the same VPC are simply attached to different Route Tables — there is no Public or Private flag on the Subnet itself.

Common Routing Pitfalls

A Public IP exists, but the resource is not reachable

A Public IP is not a sufficient condition for reachability. The Subnet hosting the resource must have a Route Table with a default route pointing to the IGW. Attaching a Public IP to an instance in a Private Subnet does not make it reachable from outside.

Same-VPC traffic works even with an empty Route Table

The Local route is added automatically and cannot be removed. Resources within the same VPC can always talk to each other, regardless of other rules.

Why NAT is deployed in every AZ

A NAT Gateway is a per-AZ resource. If one AZ hosts a NAT and Private Subnets in another AZ point at it, an outage in the NAT’s AZ takes outbound traffic from the other AZ down with it. Systems that care about availability deploy a NAT per AZ. The cost rises in proportion.

Vendor Naming Map

Routing components by vendor:

ConceptAWSGCPAzureAlibaba Cloud
Routing rulesRoute TableRoutesRoute TableRoute Table
External exit (bidirectional)Internet Gateway(default internet gateway, implicit)Public IP + NSGInternet Gateway
Outbound-only exitNAT GatewayCloud NATNAT GatewayNAT Gateway

GCP differs in that the default internet gateway is not exposed as an explicit resource — it shows up only as a next hop in Routes. Azure has no separate Internet Gateway resource; external exposure is governed by Public IPs and NSG rules.

Wrap-up

Three elements decide the path traffic takes inside a VPC.

  • Route Table: a set of rules attached to a VPC or Subnet. Longest prefix match and the Local route are provided by default.
  • IGW: a bidirectional exit to the public internet. Reachability requires both a Public IP and a default route in the Subnet’s Route Table.
  • NAT Gateway: an outbound-only exit. It sits in a Public Subnet and pushes traffic out through the IGW.

Public Subnet vs Private Subnet is not a property of the Subnet itself — it is the result of where the default route points.

Route Table rules ultimately decide internal communication, external egress, and the Public vs Private split. IGW and NAT only provide the kinds of exits; which destination ends up at which exit is still determined by the rules.

The next article covers how a VPC connects to other networks — the topologies that Peering, Transit Gateway, VPN, and PrivateLink make possible.