Understanding AWS – Internet Gateways (IGW)

To provide internet access from a VPC Amazon provide a service called Internet Gateway.  Internet Gateways are Amazon operated and managed and provide a horizontally-scalable, redundant and highly available method of accessing the internet.  Internet Gateways provide internet access using both IPv4 and IPv6 addressing.  To provide internet access from a VPC you must create and attach a IGW to your VPC.  Create a route entry in the route table for the VPC Subnet to point non-local traffic to the IGW.  This could be a default 0/0 route for either IPv4 or IPv6 traffic or both.  To ensure end-to-end flow of traffic you must ensure that the appropriate Network ACLs and security groups allow the required traffic to and from your VPC.

When using private subnets within a VPC and accessing the internet via an IGW, the IGW will translate the private addresses to public addresses.  The IGW maintains one-to-one mappings of private to public IP ranges.  When a resource is launched it can automatically receive a public IP address or a Elastic IP can be assigned, the IGW maintains these mappings.

IPv6 is designed to be an end-to-end protocol and as such resources within a VPC are assigned IPv6 addresses from the Amazon GUA address assignments.  For outbound IPv6 traffic from the internet the IGW does not need to translate the the source address and it therefore passes through unchanged.  For inbound flows the IGW forwards the traffic to the resource matching the GUA.