An Egress only internet gateway is a horizontally scaled redundant and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet. It prevents the internet from initiating an IPv6 connection with your instances, and also enables you to use network ACLs to control traffic to and from the subnet for which the gateway routes traffic.
An egress only internet gateway is stateful, which means that it keeps track of the network connections that it establishes with instances in your VPC. This helps you to better manage the flow of traffic between your VPC and the internet, and it also enables you to monitor outbound VPC data for compliance and security purposes.
You can create an egress only internet gateway for your VPC using the VPC wizard or by creating one manually. You can attach a private NAT gateway to your egress only internet gateway for additional outbound NAT capability.
In addition to enabling outbound internet access from your VPC, an egress only internet gateway can also act as a NAT for instances in your VPC that are not assigned public IP addresses. You can configure a route table for an egress only internet gateway to define routes that direct traffic to specific destinations in your VPC, such as a firewall. You can also configure security rules to control ingress traffic that passes through the internet gateway.
You can use a private NAT gateway to allow instances in your VPC to connect to other Amazon Web Services, as well as to your on-premises network or another peered VPC. Each internet gateway has an associated route table that specifies which public subnets in your VPC can use it to connect to the internet. You can also control the types of outbound traffic allowed by associating a security group with an internet gateway.