[AWS] VPC – NAT Gateway

NAT (Network Address Translation)

NAT remaps source IPs or destination IPs. (It translates private IPs to public IPs and vice versa.)

• Static NAT
  • A private IP is mapped to a public IP at a 1:1 ratio. (such as Internet Gateway).
• Dynamic NAT
  • A range of private IPs are dynamically mapped to one or more public IPs (Home router or NAT Gateways).
  • To achieve high availably, create one dynamic NAT per AZ.

---

NAT Gateways

Simply, NAT Gateways provides the outgoing-only internet access from the private instances.

• Instances in a public subnet
  • Instance (public) <-> Network ACL (public) <-> Route Table (public) <-> Internet Gateway
• Instances in a private subnet
  • Instance (private) <-> Network ACL (private) <-> Route Table (private) : Fail
  • Instance (private) <-> NAT Gateway (public) <-> Network ACL (public) <-> Route Table (public) <-> Internet Gateway

---

NAT Gateway Features

• NAT Gateway allows instances in a private subnet to connect to the internet or other AWS resources but prevents the internet from initiating a connection to private instances.
  • NAT Gateway uses an Elastic IP. The Elastic IP address cannot be changed after it is associated with the NAT Gateway.
    • External services see the Elastic IP as the source.
  • NAT Gateway only allows incoming traffic if a request is originated from an instance in a private subnet.
  • NAT Gateway understands and allows session traffic.
• NAT Gateway must be created in a public subnet.
• The private subnet’s route table needs to be updated to route internet-bound traffic to the NAT Gateway.
• NAT Gateway does not support IPv6. You need to use the egress-only internet gateway instead.
• NAT Gateway is easy to manage.
  • You do not need to patch NAT Gateway.
  • NAT Gateways are not associated with Security Groups.
  • An automatic public IP is assigned to NAT Gateway.

• NAT Gateway is resilient in a single AZ and auto-scale for high availability.
  • It is added to a public subnet.
  • It supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps.
• For fault tolerance:
  • Create NAT Gateways in multiple AZs (subents)
  • Change the route table of the private subnets to use the NAT Gateway in the same AZ

• If you need to send traffic to S3 or DynamoDB that are in the same region, set up a gateway endpoint and route the traffic through the gateway endpoint instead of the NAT gateway.

---

NAT Instances

• It is an EC2 instance in a public subnet that plays the same role as NAT Gateway.
  • Use a special AMI with the “amzn-ami-vpc-nat” in the name
• You need to disable Source/Destination check in order to work correctly (EC2 setting)
• Legacy feature in AWS
  • Not highly available
  • Limited bandwidth – might not handle large workload
  • Need to assign a Security Group
  • Can use as a Bastion Host via SSH

---

Bastion Hosts (Jump-boxes)

A Bastion Host is a special host (e.g. EC2 instance) that sits at the perimeter (public subnet) of a VPC and functions as a secure entry point to the private parts of VPC.

• A Bastion Host has a public IP and is connected to outside network.
• Unlike NAT Gateway (, which provides the internet access), you do perform admin tasks of private instances.
• You can update or tweak configurations remotely for private subnets.
• Private instances are connected to via SSH (Linux) or RDP (Windows) from the bastion.
  • Private instances should have the proper security group to allow SSH or RDP connections.
• Best Practice: Remove any unnecessary service in the bastion host to reduce the risk of security attacks.

To make bastion hosts highly available:

• [Option 1]
  • You can put bastion hosts in multiple public subnets (multi-AZs) and place the network load balancer for SSH connection: for production but expensive.
• [Option 2]
  • You can put a host in one AZ with a fixed EIP. And then setup the auto scaling group for the bastion host with minimum = 1 and maximum = 1. Use the user data script to provision the same EIP for a new host: cheaper but not strictly fault-tolerant with some down time.