NAT — Network Address Translation

How It Works

NAT rewrites IP addresses (and often port numbers) in packet headers as they pass through a router. The most common form — PAT (Port Address Translation) — allows thousands of devices to share a single public IP by assigning each connection a unique source port on the public side.

The NAT Translation Process

Here is what happens when a device at 192.168.1.10 opens a connection to 93.184.216.34:443 (example.com):

1. Outgoing packet: Source 192.168.1.10:5000 → Destination 93.184.216.34:443
2. NAT rewrites source: Source 203.0.113.1:40001 → Destination 93.184.216.34:443
3. NAT records the mapping: 192.168.1.10:5000 ↔ 203.0.113.1:40001 → 93.184.216.34:443
4. Response arrives: Source 93.184.216.34:443 → Destination 203.0.113.1:40001
5. NAT rewrites destination: Source 93.184.216.34:443 → Destination 192.168.1.10:5000

The external server never sees the private IP. It thinks it is talking to 203.0.113.1.

# View active NAT translations on a Linux router
sudo conntrack -L | head -20
# tcp  6 431998 ESTABLISHED src=192.168.1.10 dst=93.184.216.34 sport=5000 dport=443
#   src=93.184.216.34 dst=203.0.113.1 sport=443 dport=40001 [ASSURED]

# Set up basic NAT with iptables (what Docker does internally)
sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

NAT Types and P2P Implications

Not all NATs behave the same. The type determines whether peer-to-peer connections (WebRTC, VoIP, gaming) can work:

The challenge with P2P is that both sides are behind NAT. Neither can accept unsolicited inbound connections. The solution is hole punching:

1. Both clients contact a public STUN server to discover their public IP:port mapping
2. The STUN server tells each client the other's public IP:port
3. Both clients simultaneously send packets to each other's public address
4. The NAT sees outgoing traffic and creates a mapping
5. When the other side's packet arrives, it matches the mapping and gets forwarded

This works with Full Cone, Address Restricted, and Port Restricted NAT. With Symmetric NAT, the mapping changes per destination, so the port the STUN server sees is different from what the peer would need to use. In that case, the fallback is a TURN relay — a server that both sides connect to and that forwards traffic between them.

# Test the NAT type using a STUN client
stunclient stun.l.google.com:19302
# Binding test: success
# Local address: 192.168.1.10:54321
# Mapped address: 203.0.113.1:40001

NAT in Cloud Environments

Cloud NAT is conceptually the same but operationally different. AWS NAT Gateway, for example:

• Managed service — no EC2 instance to patch or monitor
• Scales automatically up to 55,000 simultaneous connections per destination
• Costs money — $0.045/hour ($32.40/month) + $0.045 per GB processed
• AZ-scoped — lives in a single Availability Zone, so deploy one per AZ for HA

# Check which public IP the instance NATs through
curl -s ifconfig.me
# 203.0.113.50  (should be the NAT Gateway's Elastic IP)

# Monitor NAT Gateway port allocation on AWS (via CloudWatch)
# Metric: ErrorPortAllocation — non-zero means port exhaustion

Production Considerations

Port Exhaustion

A single public IP provides 65,535 ports per protocol. With PAT, every outgoing connection uses a port. High-throughput services that make thousands of concurrent outbound connections (API gateways, crawlers, log shippers) can exhaust this pool.

Symptoms: Intermittent connection failures, "cannot assign requested address" errors, ErrorPortAllocation CloudWatch alarms on AWS NAT Gateway.

Solutions:

• Add more public IPs to the NAT device (AWS NAT Gateway supports up to 8 Elastic IPs, giving 8 x 65,535 = 524K ports)
• Reduce connection count with connection pooling and HTTP keep-alive
• Use multiple NAT Gateways and split traffic across them via routing

NAT Gateway Cost Optimization

AWS NAT Gateway data processing charges can be surprisingly expensive. Common cost traps:

# Check NAT Gateway data processing in AWS Cost Explorer
aws ce get-cost-and-usage \
  --time-period Start=2025-01-01,End=2025-01-31 \
  --granularity MONTHLY \
  --metrics BlendedCost \
  --filter '{"Dimensions":{"Key":"USAGE_TYPE","Values":["NatGateway-Bytes"]}}'

The biggest NAT Gateway cost savings comes from VPC endpoints. S3 and DynamoDB Gateway Endpoints are free and handle the most common traffic patterns. For a Kubernetes cluster pulling container images, an ECR Interface Endpoint pays for itself almost immediately.

NAT and WebRTC: A Practical Example

WebRTC — used by Google Meet, Zoom, Discord, and every browser-based video call — relies on ICE (Interactive Connectivity Establishment) to traverse NAT:

1. Gather candidates: The client collects its local IPs (host candidates), queries STUN for its public IP (server-reflexive candidates), and allocates a TURN relay (relay candidates)
2. Exchange candidates: Both peers share their candidate lists through a signaling server
3. Connectivity checks: Both sides try every combination of candidates simultaneously
4. Select best path: ICE picks the pair with the lowest latency that works — preferring direct over relayed

In practice, about 85% of WebRTC connections succeed with STUN alone (direct P2P through NAT). The remaining 15% — mostly corporate networks with symmetric NAT or restrictive firewalls — require a TURN relay, which adds latency and server cost.

Connection success rates by NAT type:
  Full Cone + Full Cone:         ~100% direct
  Restricted + Restricted:       ~95%  direct
  Port Restricted + Port Restricted: ~80% direct
  Symmetric + Any:               ~15%  direct (rest needs TURN)

This is why every production WebRTC deployment needs TURN servers as a fallback. Running TURN is not optional — without it, 10-15% of users simply cannot connect.