How to Deploy VPC Only Instances With NAT Gateway on Vultr
Applications and workloads that require outbound internet access do not always need to be directly reachable from the public internet. Deploying instances without public IP addresses behind a NAT Gateway blocks inbound internet traffic while still enabling controlled outbound connectivity.
This guide explains how to deploy VPC only instances on Vultr that run entirely inside a private VPC and use a NAT Gateway to handle outbound traffic such as operating system updates, package downloads, container image pulls, and external API access.
Prerequisites
Before you begin, ensure you:
- Have access to the Vultr Customer Portal with permission to create and manage networking and compute resources.
- Have a Vultr API key with sufficient permissions.
- Create a new VPC network in the desired region.
Provision a NAT Gateway Subscription
A NAT Gateway provides outbound internet access for VPC only instances without exposing them to inbound traffic. By routing private subnet traffic through the NAT Gateway, instances can access external services while remaining isolated from direct internet access.
Export your Vultr API key as an environment variable.
console$ export VULTR_API_KEY=YOUR_VULTR_API_KEY
Replace
YOUR_VULTR_API_KEYwith your Vultr API key.List the VPC networks available in your account.
console$ curl -sS --location --request GET "https://api.vultr.com/v2/vpcs" \ --header "Content-Type: application/json" \ --header "Authorization: Bearer ${VULTR_API_KEY}" \ | jq .
Identify the ID of the VPC network in which you want to provision the NAT Gateway.
Export the VPC ID as an environment variable.
console$ export VPC_ID=YOUR_VPC_ID
Replace
YOUR_VPC_IDwith your VPC ID.Provision the NAT Gateway in the selected VPC.
console$ curl -sS --location --request POST "https://api.vultr.com/v2/vpcs/${VPC_ID}/nat-gateway" \ --header "Authorization: Bearer ${VULTR_API_KEY}" \ | jq .
Your output should be similar to the one below:
{ "nat_gateway": { "id": "20c4fd35-66cb-4a97-a212-d495c4b66c63", "vpc_id": "16946e4c-6529-4580-b91b-4a6630c64402", "date_created": "2026-01-20 09:27:58", "status": "pending", "label": "nat-gateway-16946e4c-6529-4580-b91b-4a6630c64402",The output shows that the NAT Gateway is being provisioned and is currently in the
pendingstate.Verify that the NAT Gateway is active.
console$ curl -sS --location "https://api.vultr.com/v2/vpcs/${VPC_ID}/nat-gateway" \ --header "Authorization: Bearer ${VULTR_API_KEY}" \ | jq .
Your output should be similar to the one below:
{ ...... "nat_gateways": [ { "id": "20c4fd35-66cb-4a97-a212-d495c4b66c63", ...... "date_created": "2026-01-20 09:27:58", "status": "active", ...... "public_ips": [ "192.0.1.9" ], "public_ips_v6": [ "2001:db8:dead:beef:cafe::1" ], "private_ips": [ "10.1.144.1" ...... }The output confirms that the NAT Gateway is in the
activestate and shows the public IPv4 and IPv6 addresses, along with the private IP assigned to the gateway.
Deploy VPC Only Instances
A VPC only instance is deployed without a public IP address and is isolated from direct internet access. The instance communicates exclusively over private networking within the VPC and relies on controlled egress paths, such as a NAT Gateway, for outbound connectivity.
Log in to the Vultr Customer Portal.
Navigate to Products and click Compute.
Click Deploy.
Choose the instance type that best fits your workload:
- Shared CPU: Virtual machines for bursty workloads such as dev/test environments and low-traffic applications.
- Dedicated CPU: Virtual machines for demanding workloads such as production applications and larger databases.
- Cloud GPU: Instances with fractional or full GPUs for AI, machine learning, HPC, and visual computing.
- Bare Metal: Single-tenant servers for workloads with the highest performance or security requirements.
Select a Vultr Location that matches the region of your VPC network.
Select an instance Plan based on your workload requirements.
Click Configure Software to continue the instance configuration.
Choose an Operating System image for the instance.
Under Server Settings, configure your SSH Keys if you prefer key-based authentication.
Provide a Server Hostname and Label to identify the instance.
In Instance Connectivity, select Private Instance(s) behind NAT Gateway.
In VPC Network, select the VPC associated with the NAT Gateway subscription.
Set the Quantity of instances in the Deploy Summary.
Configure any remaining optional settings as required.
Click Deploy to create the instance.
All VPC only instances deployed in this step are placed behind the NAT Gateway and are accessible only within the VPC. No inbound connections from the public internet are allowed. The Quantity value in the Deploy Summary determines how many VPC only instances are created.Note
Verify VPC Only Instance Deployment
After deployment, verify that the instances are created correctly and operate as VPC only instances behind the NAT Gateway.
Navigate to Products and click Network.
Select VPC Networks.
Select your VPC and confirm that the Instance Connectivity section shows NAT Gateway, which indicates that the VPC is associated with a NAT Gateway.
Verify that all VPC only instances appear under Attached Nodes.
Conclusion
You have deployed VPC only instances on Vultr without public IP addresses and configured a NAT Gateway to provide outbound internet connectivity. This setup keeps instances isolated from inbound internet traffic while allowing outbound access to external services such as operating system updates, package repositories, and third-party APIs.