I'm a bit lost on that one - I've followed AWS documentation and it seems that there is nothing more I can find. The situation summary is that I have an EC2 instance within a VPC and it can't reach the Internet despite following Amazon AWS instructions in setting up a NAT for the VPC. Details below:

1. I have a VPC with one subnet (CIDR 10.0.0.0/24) and one EC2 instance in (it has private IP address within VPC only, 10.0.0.168)

2. I have created an Internet Gateway and attached it to the said VPC.

3. I have created a Network ACL with All Traffic Allow for 0.0.0.0/0 for both Inbound and Outbound traffic and attached the ACL to the VPC's only subnet.

4. VPC subnet security group also allows all traffic in and out for 0.0.0.0/0

5. I have created a NAT Gateway which has a private IP address within the VPC (10.0.0.95) and a public Elastic IP address (let's say 18.154.34.97, but I assume this doesn't matter). This NAT Gateway is attached to the VPC's only subnet.

6. I have created routing table that is associated with VPC's subnet (10.0.0.0/24) and contains two entries:

    Destination     Target
    10.0.0.0/24     local
    0.0.0.0/0       nat-gateway-id

7. In order to access the VPC, I have created a Client VPN Endpoint with addresses range 10.1.0.0/22 and associated it with the proper VPN subnet.

8. I can connect to the Client VPN Endpoint using OpenVPN and ssh into the EC2 instance. However, from that instance I cannot access the Internet. Similarly, when connected to this Client VPN Endpoint my local machine also stops being able to access the Internet. I have tried pinging the NAT address within the VPC (10.0.0.95) and it's unreachable from either machine.

9. Everything is I've set up green, active etc. when using the Reachability Analyzer I get the following:

Route table rtb-(...) does not have an applicable route to igw-(...)

I route things to NAT, not to Internet Gateway, as I understood this is the correct way to go about this when I have private IP addresses only within the VPC.

Traffic cannot reach the internet through internet gateway igw-(...) because the source address is not paired with a public IP address. To add or edit an IPv4 public IP address to the source, you can use an Elastic IP address.

If I understand NAT correctly, it becomes the source address for the Internet Gateway after receiving data from one of the within-VPC instances. This NAT has a public Elastic IP address.

Internet gateway igw-(...) cannot accept traffic with spoofed addresses from the VPC.

It should not be getting any such traffic, as it should go through the NAT, right?

I'm at loss what I have I missed here...

You need to have two subnets. One public and one private.

Public subnet

Public subnet can have enable public IP set. It should have NAT gateway and a route table:

 Destination     Target
    10.0.0.0/24     local
    0.0.0.0/0       internet-gateway

private subnet

Your private instance should in the private subnet. The subnet should have route table:

    Destination     Target
    10.0.0.0/24     local
    0.0.0.0/0       nat-gateway-id

NACL

Its better to leave the default NACLs as they are. Its very easy to mess them up. You should be able to control access to and from your instance using security groups only.

The NAT gateway must be in a public subnet with a route table that routes internet traffic to an internet gateway.