Back to Blog
Cloud8 min readJun 2026

NAT: how a whole network hides behind one public IP

Your phone, laptop, and TV all share a single public address, yet replies always find the right device. Watch the router rewrite addresses and keep a translation table to pull it off.

networkingnatfundamentalsip
SB

Sri Balaji

Founder

On this page

One public IP, many devices

Who this is for

You've heard "private IP" and "public IP" but never understood how ten devices at home, or hundreds of pods in a cluster, all reach the internet through a single public address.

Public IPv4 addresses are scarce, so we don't give one to every device. Instead, a network uses private addresses internally (like 10.0.0.11) and a router performs NAT, Network Address Translation, rewriting the source address on the way out and reversing it on the way back.

See it

Watch two private hosts share one public IP. Notice the source address on each packet change as it crosses the router, and how the translation table remembers who is who.

NAT, live

NAT translation table

10.0.0.11:51000203.0.113.5:40001
10.0.0.12:51000203.0.113.5:40002

10.0.0.11

private host

10.0.0.12

private host

NAT router

203.0.113.5

Server

the internet

Both hosts share one public IP. On the way out, the router rewrites the source to its public IP and a unique port, and records the mapping. When a reply comes back to that port, the table tells it which private host to return to. That port is how one IP serves many devices.
Watch the source address change as packets cross the router.

The source address is rewritten at the router. The table maps each public port back to the right private host.

The trick: a port per conversation

If everyone shares one IP, how does a reply find the right device? The router assigns each outbound connection a unique source port on the public side and records the mapping. When a reply arrives for that port, the table says exactly which private host and port to send it to. This is sometimes called PAT (Port Address Translation).

  • Outbound: source 10.0.0.11:51000 becomes 203.0.113.5:40001, recorded in the table.
  • Inbound reply: arrives for 203.0.113.5:40001, the table maps it back to 10.0.0.11:51000.
  • Many devices, one IP: different ports keep thousands of simultaneous conversations apart.

Pro tip

This is also why incoming connections need port forwarding or a load balancer: by default the router only has table entries for conversations a private host started. Nothing outside knows how to reach in unprompted.

Key takeaways

  • Private IPs are used internally; NAT translates them to a shared public IP.
  • The router rewrites the source address and port on the way out.
  • A translation table maps each public port back to the right private host.
  • Unique ports are what let one IP serve many devices at once.
  • Unsolicited inbound traffic needs explicit forwarding, because there's no table entry for it.

Want to go deeper?

This article covers concepts taught hands-on in the Cloud Engineer and DevOps career paths, with real terminal labs, production scenarios, and structured lessons.

Explore Career Paths Try the Labs

Keep reading

Cloud

Cloud Networking Fundamentals: How a VPC Actually Works

Read

Cloud

How the Cloud Actually Works: Regions, AZs & the Edge

Read

Cloud

IaaS vs PaaS vs SaaS, What You Actually Manage

Read