You must create a NAT gateway in the following situations:
Tasks access Amazon S3 sources and targets that are in a different AWS region.
Tasks access sources and targets that are not on AWS.
When you configure the NAT gateway, complete the following tasks, configure the NACL (network access control list) that is associated with the subnet with inbound rules to allow all traffic on the following ports:
Ephemeral port range
For information about creating a NAT gateway, refer to the AWS documentation.