October 4, 2018

Access Resources on the Public Internet Through an Oracle Cloud Infrastructure NAT Gateway.

By: Myron King | Consulting Member of the Technical Staff


Many OCI customers have compute instances in VCNs which for privacy, security, or operational concerns are connected to private subnets.   In order grant these resources access to the public Internet for software updates, CRL checks, etc., users only option has been to create a NAT instance in a public subnet and route traffic through that instance using its private IP as a route target from within the private subnet.   Though many have successfully used this approach, it does not scale easily and provides a myriad of administrative and operational challenges.

We are excited to announce the availability of NAT Gateway, which address the aforementioned challenges and provides OCI customers with a simple and intuitive tool to address their networking security needs:

  • Highly Scalalable and Fully Managed NAT gateways enable instances on private subnets to initiate large numbers of connections to the public Internet. Connections initiated from the Internet are blocked.
  • A Security feature allows traffic through NAT gateways to be disabled at the click of a button.
  • Each NAT Gateway is assigned a Dedicated IP Address, which can be reliably added to security whitelists.

This section shows how to access the public Internet from a private instance through a NAT Gateway

Before:                                                                                      After:

Initially, our Private Instance accesses the public internet through a [public] NAT Instance.  The VCN has one public subnet and one private subnet with their route tables, security lists, and DHCP options created based on steps 1-3 described in this blog post.

Through a Bastion (not shown) we can ssh into the Private Instance and access resources on the public Internet as shown:

Now we create a NAT Gateway in the VCN:

You can see the newly created gateway in the list of NAT gateways:


Finally replace the route rule which pointed to the NAT instance with one which points to the NAT Gateway:


In a few easy steps we have given all instances in the private subnet access to resources on the internet.   As with the other OCI Gateways (Service, Internet, etc.), the NAT Gateway is highly available and scales elastically to meet your bandwidth requirements.  We can now delete the NAT instance as it is no longer required.

OCI recommends NAT Gateway as the preferred method for granting Internet access to instances on private subnets.   You can read more about the NAT Gateway in the OCI Networking Documentation.  You can also watch our video demo for additional details

Consulting Member of the Technical Staff
More about Myron King