High-performance and highly available VPS/VDS with automatic installation and full root access to the OS. The ordered resources are guaranteed to be reserved for you.
Fortify your operational continuity with our resilient disaster recovery solutions, ensuring swift recovery and minimal downtime in the face of unforeseen challenges.
Public IP and NAT Gateway both allow servers to reach the internet, but they do so in fundamentally different ways.
A Public IP makes sense when a VM needs a direct external address. It is simpler at the beginning: the server can reach the internet more directly, it is easier to connect to, and the traffic path looks straightforward. But together with that simplicity comes external exposure, and any mistake in the access rules becomes more visible — and more dangerous.
A NAT Gateway works differently. The server stays in a private subnet without a public address, but it can still reach the internet for updates, packages, external APIs, and other outbound requests. This model usually aligns better with the role of internal VMs that need internet access to function, but do not need direct inbound access from the outside world.
You can reduce the difference to the following:
Criterion
Public IP
NAT Gateway
How the server reaches the internet
Directly
Through a separate NAT layer
Does the VM need a public address
Yes
No
Inbound internet traffic
Potentially possible
No direct inbound path to the VM
What usually wins
Simplicity
A cleaner network model
Main trade-off
Higher external exposure
Additional cost and a separate network layer
Below, we will look at what direct external access actually simplifies, how a private subnet gets outbound access without a public address, and where security, traffic flow, and cost really change between these two approaches.
Public IP: direct internet access without an intermediary
When people discuss how cloud servers reach the internet, the conversation often sounds overly technical: routes, addresses, gateways, subnets. But in practice, this is a very applied decision. It affects several things at once:
whether the VM is directly visible in the external environment,
how many network components need to exist in the design,
how risk and operating cost change,
and how easy it is to launch the server quickly.
That is exactly why Public IP versus NAT Gateway is worth discussing as a separate topic. The choice is not just between two technical ways to let a VM reach the internet, but between two different access models.
The first of those is the Public IP. It is an external address that makes the server part of the public-facing network environment. The server can initiate outbound connections to the internet, and with the right routes and access rules in place, it can also be reachable from the outside.
That is why this option tends to feel like the simplest one. It reduces the number of network components, makes the traffic path more direct, and removes part of the infrastructure layer that would otherwise be needed in a private-only design.
But that simplicity comes at a cost. As soon as a VM receives a public address, it stops being just an internal server with outbound connectivity and becomes a resource that now sits much closer to the open internet.
What exactly direct internet access simplifies for a VM
After the general overview, it makes sense to look not just at the external address itself, but at its practical value. Otherwise, a Public IP is too easy to reduce to a dry statement like, “right, the server has internet access.”
In reality, teams value it for much more grounded reasons. A VM with a public address is faster and easier to bring into operation. It does not need a separate NAT layer for outbound traffic, there is no need to design a separate egress model, and the path to the internet is as direct as it gets.
In practice, that usually simplifies several things at once:
installing packages and updates without additional network infrastructure,
making outbound calls to external APIs, repositories, licensing services, and telemetry endpoints,
getting temporary VMs, test environments, and utility servers up quickly,
reducing the number of separate components that need to be configured, monitored, and paid for.
That is exactly why Public IP is popular at the early stage. It lowers the barrier to entry: launch the VM, assign an address, configure the rules, and the server can start working without a separate NAT setup.
But this is also where the main trade-off appears. A simpler route almost always means the server moves closer to the external environment not only for outbound traffic, but in the access model itself.
NAT Gateway: outbound internet access without direct inbound exposure
If the logic of a Public IP is simple — the server reaches the internet directly — then a private subnet works differently. The VM remains inside the private environment and does not receive an external address, but that does not mean it has to live without internet access entirely.
That is exactly where a NAT Gateway comes in. It serves as a separate egress point through which private servers can initiate outbound connections to the internet: downloading updates, pulling packages, calling external APIs, sending telemetry, and reaching other online services. At the same time, inbound traffic from the internet does not reach those VMs directly under the same model.
That is why NAT Gateway is valued. It allows workloads to stay inside a private subnet, avoids assigning a public address to every VM, and still preserves normal day-to-day operations.
In practice, the role of a NAT Gateway looks like this:
What a private VM needs
How NAT Gateway solves it
Install packages or updates
Outbound traffic goes to the internet through the NAT layer
Call an external API
The VM initiates the connection through the NAT endpoint
Send logs, metrics, or telemetry
Traffic leaves the network without the VM having its own public address
Remain unreachable directly from the internet
No direct inbound path to the VM is opened
In practice, this is what makes NAT Gateway a standard pattern for a private subnet. It does not replace a firewall, route tables, or other network rules, but it solves a very important problem: it provides outbound internet access without turning the VM itself into a public-facing resource.
How a private subnet gets internet access without a public address
After the general section on NAT Gateway, it makes sense to look at the mechanism itself. Otherwise, this pattern can easily seem almost magical: the server does not have a public address, yet it still reaches the internet.
In reality, the design is fairly straightforward. A VM in a private subnet sends outbound traffic along its normal route, and then the route table directs that traffic not to the internet gateway directly, but to the NAT Gateway. The NAT layer then sends that traffic out under its own public identity and returns the responses back to the private server. In essence, it is the same basic idea used by a typical home router.
Because of that, a private VM can:
install updates,
pull packages and container images,
EU Cloud Infrastructure You Control
Run production workloads on dedicated resources across EU data centres. Transparent pricing, no hidden costs.
Full control over compute, storage, and networking.
work with internet resources without having its own public address.
On a diagram, the difference looks like this:
Model
How the VM reaches the internet
What the VM itself gets
With a Public IP
Directly
A public address and a more direct internet path
Through a NAT Gateway
Through a separate NAT layer
Outbound access without a public address
That is exactly where the main advantage of a NAT Gateway lies. It separates internet access from external reachability. The server can go out to the internet without becoming a resource that sits directly in the public-facing environment.
But this design also has a cost. A NAT Gateway adds a separate network layer, changes the traffic path, and almost always introduces additional expense. That is why the next useful step is to compare both approaches directly and look at how security, traffic flow, and operating cost actually change between them in practice.
NAT Gateway vs Public IP: how security, traffic flow, and cost change
Where the access model itself changes
By this point, the difference is already clear at the conceptual level. One approach gives the VM a more direct path to the internet, while the other lets it reach the internet through a separate NAT layer without assigning the machine a public address of its own.
But in practice, teams do not focus only on the fact that outbound internet access exists. What matters more is this: does the VM receive a public address, can it become reachable from the outside, and how isolated does the resource remain?
At the most basic level, the difference looks like this:
Criterion
Public IP
NAT Gateway
Does the VM have a public address
Yes
No
Can the VM be reachable from the outside
Potentially yes, if routes and rules allow it
Not directly
Access model
More direct
More isolated
Network path
Shorter and simpler
Includes an additional intermediate layer
From a security perspective, the difference is fairly practical and concrete. With a Public IP, the server sits closer to the external-facing environment. Even if inbound traffic is blocked through Security Groups or firewall rules, the VM still exists in a model where a public address is present.
With a NAT Gateway, the logic is stricter. The server is given outbound internet access only, without turning it into a public-facing resource. For backends, worker nodes, internal utility VMs, processing services, and private applications, that usually aligns better with the real role of the resource.
Where the difference starts to show up in cost and operations
Once you move past the access model itself, the next layer is more practical: operations. At this point, the question is no longer only about security, but also about how many components need to exist in the design, how quickly VMs can be launched, and what the setup costs to run.
In practice, the choice usually comes down to a few things:
Does the server need inbound traffic from the internet, or only outbound access?
Is the resource supposed to be an external entry point, or does it simply need to reach updates and APIs?
Is the team willing to pay for a separate NAT layer in exchange for a cleaner network design?
How many such VMs exist in the environment, and will “just give it a Public IP” turn into a habit at scale?
In typical scenarios, the difference looks like this:
Scenario
What usually makes more sense
Why
Temporary VM for testing or a utility task
Public IP
Faster start, less network overhead
Backend in a private subnet
NAT Gateway
Outbound access is needed, but direct external entry is not
Database
NAT Gateway or even fully private-only
An external address usually does not match the role of the resource
A group of internal VMs that need updates and access to external APIs
NAT Gateway
One controlled egress path is better than many public addresses
Bastion, reverse proxy, or another public entry point
Public IP
By role, the resource is meant to face outward
This is also where the financial difference starts to become visible. A Public IP usually looks simpler in the design itself: fewer components, less indirection, and lower network complexity at the beginning. A NAT Gateway adds a separate managed layer and an additional cost, but it helps avoid assigning a public address to every machine and consolidates outbound access into one point.
So the practical conclusion is usually this: if the server must accept external traffic, a direct public address may be perfectly reasonable for that role. If the VM only needs to reach outward, NAT Gateway often turns out to be the cleaner choice. Yes, some providers allow you to “forward” a port through the NAT layer for external access, but that is not always a particularly good design, especially compared with using load balancers or ingress layers. Still, it can be acceptable in some cases.
Conclusion
In practice, this choice almost never comes down to asking which option is “more modern.” The mistake usually begins when a direct public address is assigned to a server that only needs outbound access.
That is why it is better to look at the role of the resource:
If the server must accept traffic from the internet, a direct public address can be a perfectly reasonable part of the design
If it only needs to reach outward for packages, updates, and APIs, a separate NAT layer usually provides a cleaner model
If external internet access is not needed at all, it is often better not to open that path in the first place
The practical takeaway is very down to earth: the safer and more cost-effective choice is not one universal “correct” option, but the one that gives the resource exactly the type of internet access it needs — and no more. NAT Gateway usually wins for internal VMs, while a direct public address remains appropriate for the components that genuinely need to face outward.
FAQ
What is cheaper for one or two temporary VMs?
Quite often, a direct public IP, because the setup is simpler and does not require a separate managed egress layer. But in a larger environment, that kind of “temporary simplicity” can easily turn into a habit of exposing far too many resources.
What is safer for backend servers and worker nodes?
Usually a NAT-based design, because it gives the server outbound internet access without making it directly reachable from the outside. That aligns better with the role of private workloads.
Can a private subnet reach the internet without giving the VM a public address?
Yes. That is exactly what NAT is for: private instances can initiate outbound connections, while the internet cannot initiate connections back to them directly.
Do you need NAT if the server itself accepts external traffic?
Usually not. If the resource is meant to be a public entry point by design, it typically needs a direct public address or another public-facing entry layer. NAT is mainly about outbound access for private servers.
Does NAT automatically make a server secure?
No. It removes direct external reachability for the VM, but it does not replace firewall policy, routing controls, or segmentation.
Why can a NAT-based design be more expensive?
Because it introduces a separate managed component and an extra network layer for outbound traffic. That is the price you pay for a cleaner egress model and for avoiding public addresses on the VMs themselves. In larger environments, though, the model often becomes more attractive because one NAT gateway can serve many hosts.
Subscribe to our newsletter to get articles and news
Cookie consent
This site uses cookies to ensure it works properly and to track how you use it. By clicking 'Accept', you agree to these technologies. For more details, please see our Privacy Policy and Cookies Policy
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.