An Egress-only Internet Gateway is a VPC component that allows outbound communication from instances to the internet, over IPv6.
Key Points for Egress-only Internet Gateway
- The need for Egress-only IGW arises from the fact that all IPv6 addresses are public IP addresses
- Every IPv6 address is globally unique, and public by default
- This Egress-only IGW enables security in terms of blocking internet from accessing instances with IPv6 addresses
- Egress-only IGW is horizontally scaled, redundant, and highly available.
- Egress-only IGW is only used for IPv6 traffic, and not for IPv4. For IPv4 outbound only traffic, NAT gateway is used.
- You cannot associate a Security Group with Egress-only Internet Gateway.
- You rather use Security Group for instances to control traffic to / from those instances.
- You can use NACL to control traffic to / from Subnet for which Egress-only IGW is routing traffic.
Following diagram shows a Subnet with IPv6 connected to internet via Egress-only Internet Gateway, and thus restricting the inbound traffic:
Image courtesy of AWS
External Resources