- [Man] So how do instances in our VPC access the internet? 

Well, the first way is that we can assign a public IP address to that machine. So first we assign a public IP address or an Elastic IP address or EIP to the instances that we want to have internet access. 

That gives those instances the ability to send and receive traffic from the internet, i.e. for web service, we want to have that ability. So how do instances without public IP addresses access to the internet? Instances without a public IP address can route their traffic through what we call a NAT Gateway or a NAT Instance. Now, NAT stands for Network Address Translation. And essentially, NAT instances or services, traverse IP ranges, internet protocol number ranges. And so allow instances and private or public subnets to access the internet via Network Address Translation. So if a machine is in a subnet and it doesn't have an EIP address, then it's not going to be visible through the internet gateway. But if we use a NAT gateway, we can have that machine topped outbound to the internet via this Network Address Translation. So the NAT Gateway or NAT Instance allows outbound communication, but it doesn't allow machines on the internet outside of the VPC to initiate a connection to that privately addressed instance. Okay, so let's look at another concept of connectivity, which is highly available NAT Gateways instead of NAT Instances. Remember, NAT stands for Network Address Translation and NAT Gateways offer major advantages in terms of deployment, availability and maintenance. 

So rather than running a NAT Instance, which is basically a machine that we have provisioned and managed and we set up that routing rule, which allows machines in a public or private subnet who do not have an Elastic IP address, who do not have an internet address to connect outbound through the NAT instance through the internet gateway, outbound to the internet. So they are basically a hopping host to get out through the internet. So remember that in terms of highly available NAT Gateways are way more available because they're a managed service. So they scale very well and designed to deal with burst activity, et cetera. Now, another form of connectivity we can have to our VPC is using a VPN. So if you have a hardware VPN connection or direct connection, instances can route their internet traffic down the virtual private gateway to your own internet connection. Now, note the difference there. There's the internet gateway and there's the virtual private gateway. So a VPN connection uses a virtual private gateway. Your internet in and outbound traffic uses the Internet Gateway. You can also have services within your VPC access the internet via your existing egress points using a VPN connection. Now, a couple of things to remember with VPC design is that always makes sure you leave spare capacity for additional subnets. So always make sure that your IP addressing contains additional capacity so that you can scale it.