AWS — VPC Egress-Only Internet Gateway Overview

Introduction to AWS VPC Egress-Only Internet Gateway

VPC Egress-Only Internet Gateway

TL;DR

Egress-only Internet Gateway is VPC component that allows outbound only communication to the internet over IPv6, and prevents the Internet from initiating an IPv6 connection with your instances.

Egress-only Internet gateway works as a NAT gateway, but for IPv6 traffic.

An egress-only Internet gateway is for use with IPv6 traffic only. To enable outbound-only Internet communication over IPv4, use a NAT gateway instead.

Egress-Only Internet Gateway Key points

  1. You cannot associate a security group with an egress-only Internet gateway.
  2. You can use a Network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.
  3. NAT devices do not support IPv6 traffic, use an egress-only Internet gateway instead.
  4. An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component.
  5. An egress-only Internet gateway is stateful i.e. it forwards traffic from the instances in the subnet to the Internet or other AWS services, and then sends the response back to the instances.

Use Cases

If you want your instance to be able to access the Internet, but you want to prevent resources on the Internet from initiating communication with your instance, you can use an egress-only Internet gateway.

To do this, create an egress-only Internet gateway in your VPC, and then add a route to your route table that points all IPv6 traffic (::/0) or a specific range of IPv6 address to the egress-only Internet gateway.
IPv6 traffic in the subnet that’s associated with the route table is routed to the egress-only Internet gateway.