An Egress-only Internet Gateway is a VPC component that allows outbound communication from instances to the internet, over IPv6.


Key Points for Egress-only Internet Gateway

  • The need for Egress-only IGW arises from the fact that all IPv6 addresses are public IP addresses
    • Every IPv6 address is globally unique, and public by default
    • This Egress-only IGW enables security in terms of blocking internet from accessing instances with IPv6 addresses
  • Egress-only IGW is horizontally scaled, redundant, and highly available.
  • Egress-only IGW is only used for IPv6 traffic, and not for IPv4. For IPv4 outbound only traffic, NAT gateway is used.
  • You cannot associate a Security Group with Egress-only Internet Gateway.
    • You rather use Security Group for instances to control traffic to / from those instances.
  • You can use NACL to control traffic to / from Subnet for which Egress-only IGW is routing traffic.


Following diagram shows a Subnet with IPv6 connected to internet via Egress-only Internet Gateway, and thus restricting the inbound traffic:

Egress-only IGW Overview

Image courtesy of AWS


External Resources