Egress-only internet gateways

An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.

Note An egress-only internet gateway is for use with IPv6 traffic only. To enable outbound-only internet communication over IPv4, use a NAT gateway instead. For more information, see NAT gateways.

Egress-only internet gateway basics

An instance in your public subnet can connect to the internet through the internet gateway if it has a public IPv4 address or an IPv6 address. Similarly, resources on the internet can initiate a connection to your instance using its public IPv4 address or its IPv6 address; for example, when you connect to your instance using your local computer.

IPv6 addresses are globally unique, and are therefore public by default. If you want your instance to be able to access the internet, but you want to prevent resources on the internet from initiating communication with your instance, you can use an egress-only internet gateway. To do this, create an egress-only internet gateway in your VPC, and then add a route to your route table that points all IPv6 traffic ( ::/0 ) or a specific range of IPv6 address to the egress-only internet gateway. IPv6 traffic in the subnet that's associated with the route table is routed to the egress-only internet gateway.

An egress-only internet gateway is stateful: it forwards traffic from the instances in the subnet to the internet or other AWS services, and then sends the response back to the instances.

An egress-only internet gateway has the following characteristics:

You cannot associate a security group with an egress-only internet gateway. You can use security groups for your instances in the private subnet to control the traffic to and from those instances.

You can use a network ACL to control the traffic to and from the subnet for which the egress-only internet gateway routes traffic.

In the following diagram, a VPC has an IPv6 CIDR block, and a subnet in the VPC has an IPv6 CIDR block. A custom route table is associated with Subnet 1 and points all internet-bound IPv6 traffic ( ::/0 ) to an egress-only internet gateway in the VPC.

Working with egress-only internet gateways

The following sections describe how to create an egress-only (outbound) internet gateway for your private subnet, and to configure routing for the subnet.

Creating an egress-only internet gateway

You can create an egress-only internet gateway for your VPC using the Amazon VPC console.

To create an egress-only internet gateway Open the Amazon VPC console at https://console.aws.amazon.com/vpc/ . In the navigation pane, choose Egress Only Internet Gateways. Choose Create Egress Only Internet Gateway. (Optional) Add or remove a tag. [Add a tag] Choose Add new tag and do the following: For Key , enter the key name.

For Value, enter the key value. [Remove a tag] Choose Remove to the right of the tag’s Key and Value. Select the VPC in which to create the egress-only internet gateway. Choose Create.

Viewing your egress-only internet gateway

You can view information about your egress-only internet gateway in the Amazon VPC console.

To view information about an egress-only internet gateway Open the Amazon VPC console at https://console.aws.amazon.com/vpc/ . In the navigation pane, choose Egress Only Internet Gateways. Select the egress-only internet gateway to view its information in the details pane.

Creating a custom route table

To send traffic destined outside the VPC to the egress-only internet gateway, you must create a custom route table, add a route that sends traffic to the gateway, and then associate it with your subnet.

To create a custom route table and add a route to the egress-only internet gateway Open the Amazon VPC console at https://console.aws.amazon.com/vpc/ . In the navigation pane, choose Route Tables, Create Route Table. In the Create Route Table dialog box, optionally name your route table, then select your VPC and choose Yes, Create. Select the custom route table that you just created. The details pane displays tabs for working with its routes, associations, and route propagation. On the Routes tab, choose Edit, specify ::/0 in the Destination box, select the egress-only internet gateway ID in the Target list, and then choose Save. On the Subnet Associations tab, choose Edit, and select the Associate check box for the subnet. Choose Save.

Alternatively, you can add a route to an existing route table that's associated with your subnet. Select your existing route table, and follow steps 5 and 6 above to add a route for the egress-only internet gateway.

For more information about route tables, see Route tables.

Deleting an egress-only internet gateway

If you no longer need an egress-only internet gateway, you can delete it. Any route in a route table that points to the deleted egress-only internet gateway remains in a blackhole status until you manually delete or update the route.

To delete an egress-only internet gateway Open the Amazon VPC console at https://console.aws.amazon.com/vpc/ . In the navigation pane, choose Egress Only Internet Gateways, and select the egress-only internet gateway. Choose Delete. Choose Delete Egress Only Internet Gateway in the confirmation dialog box.

API and CLI overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available API actions, see Accessing Amazon VPC.

Create an egress-only internet gateway create-egress-only-internet-gateway (AWS CLI)

New-EC2EgressOnlyInternetGateway (AWS Tools for Windows PowerShell)

Describe an egress-only internet gateway describe-egress-only-internet-gateways (AWS CLI)

Get-EC2EgressOnlyInternetGatewayList (AWS Tools for Windows PowerShell)