====== NAT Gateway ======

**What it is:** A managed Network Address Translation service that lets instances in private subnets access the internet **outbound**.

**What it’s for:**
  * Allow private instances to download updates, call external APIs, etc.
  * Prevent inbound internet connections to those private instances.

**Key ideas:**
  * NAT Gateway is placed in a **public subnet**.
  * It uses an **Elastic IP**.
  * Private subnet route table: `0.0.0.0/0 → NAT Gateway`.

**Exam cues:**
  * “private subnet needs outbound internet only” → NAT Gateway.
  * “managed NAT” → NAT Gateway (not NAT instance).

**Hard words:**
  * *translation* /trænzˈleɪʃn/: dịch/chuyển đổi (ở đây là đổi địa chỉ)
  * *outbound* /ˈaʊtbaʊnd/: đi ra
  * *Elastic IP* /ɪˈlæstɪk aɪ piː/: IP tĩnh public của AWS