In AWS, for VPC, if you want your private sunbet instances to talk to internet (e.g. for your DB server to download software) without having the instance open to inbound internet calls, you can use NAT instance or NAT gateway. If you choose NAT instance (which requires much more management on your part), you need to disable source/destination check (by default all EC2 instances have this check enabled). What is this source/destination check and why do you need to disable it for NAT instance?

source/destination check (enabled by default for EC2 instances) is to make sure the instance is the final source/destination of all outgoing/incoming packets but since NAT is a passthrough we need to disable this check.