NAT Explained: How One Public IP Serves an Entire Office
Network Address Translation allows thousands of devices to share a single public IP address. Understanding how NAT works explains everything from home router behaviour to enterprise outbound firewalls.
Your office may have 200 devices — laptops, phones, printers, servers — but only one public IP address assigned by your ISP. All 200 devices can simultaneously browse the internet, make video calls, and access cloud services without conflict. The mechanism that makes this possible is Network Address Translation (NAT).
The Problem NAT Solves
IPv4 provides roughly 4 billion addresses. By the late 1990s, it was clear that this would not be enough for the internet's growth. NAT was standardised in RFC 3022 (2001) as a way to multiply the effective address space. Private IP ranges — 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 — can be reused by any private network without registration. NAT is the bridge between these private ranges and the one public IP each network is assigned.
How Port Address Translation Works
The most common form of NAT is PAT (Port Address Translation), also called NAPT or NAT overload. When a device at 192.168.1.50 opens a connection to 93.184.216.34 (example.com) on port 80:
- The device picks a random source port, say
54321 - The router intercepts the packet and notes the mapping:
192.168.1.50:54321 ↔ PublicIP:60001 - The router rewrites the packet's source to
PublicIP:60001and forwards it - When the reply arrives at
PublicIP:60001, the router looks up the mapping and rewrites the destination back to192.168.1.50:54321
The server at example.com sees the connection coming from PublicIP:60001. It has no knowledge of the private network behind the NAT. Thousands of simultaneous connections from different private devices each get a unique public port number.
NAT Table and State
The router maintains a NAT table — a stateful mapping of every active connection. Entries are created when an internal host initiates a connection and removed when the connection closes or a timeout expires. This state is why NAT is not just address translation: it is also an implicit firewall. Unsolicited inbound packets from the internet have no matching NAT entry and are silently dropped, protecting internal devices from direct internet exposure.
NAT in Cloud Infrastructure
AWS, GCP, and Azure all use NAT for outbound traffic from private subnets. An AWS NAT Gateway, for example, allows instances in a private subnet to connect to the internet and to AWS services, without exposing those instances to inbound connections. The NAT Gateway has a public IP (an Elastic IP) and performs port address translation on behalf of all private instances. This is why you see a single public IP in your server logs even when dozens of instances make outbound connections — they all share the NAT Gateway's EIP. See the private IP ranges guide for how this fits into broader network design.