AWS NAT Gateways and NAT Instances
NAT Instances and NAT Gateways – What’s the Difference?
Network Address Translation (NAT) is a method for resources located in private subnets to securely access the internet.
There are two flavours of NAT available on AWS: NAT Instances & NAT Gateways.
But generally speaking, you should choose a NAT gateway rather than a NAT Instance.
This page explains both types of NAT device and the pros and cons of each.
AWS provides for NAT configuration in 2 ways:
NAT Gateway or NATGW – a service managed by AWS
NAT Instance – an EC2 instance configured with NAT routing capability and managed by the customer.
Thus AWS manages the NATGW, whereas for a NAT Instance (old method) – YOU have to manage it – ie updates, patches etc.
Note that (important for exam):
unlike NAT Instances – a NATGW cannot be used as a bastion host and it does not use security groups!
and for NAT *Instances* you must use a script to manage failover between instances, whereas NATGW is highly available within the AZ.
NAT Instances require a security group, whereas none are required for a NATGW.
Some points about public and private subnets
Some applications and services may need to allow incoming traffic from the Internet to have access to them. A public subnet can be used for this.
Other services or applications may only need internet access, but do not wish to permit any inbound traffic from the Internet. These services can be located on a private subnet.
A public subnet is any subnet that has a route to an Internet Gateway or IGW and with that to the public Internet. The allows traffic directed for the Internet to have an outbound path, and for inbound Internet traffic to be routed to the services and applications in the subnet.
A private subnet is any subnet that doesn’t have a route to an IGW (that is, any subnet that is not public). Thus they have no means of communicating with the Internet.
For this purpose, NAT Gateways and NAT Instances can be deployed. These provide a means for a private subnet to access to Internet.
An Internet Gateway (IGW) is a VPC virtual device or resource that allows communication between the VPC and the Internet. IGWs are horizontally scaled, redundant, and highly available.
IGWs are effectively a router located on the edge of a network. Without an IGW, no resource in a VPC can access the internet, not even with a public IP address.
There is no charge for IGWs, and it is only possible to allocate one IGW per VPC. Each AWS account’s default VPC comes with an IGW already defined.
NAT Instances (outdated – AWS recommend using NAT Gateway service instead)
These are outdated but still appear in the exam (2022).
NAT instances must be launched in a PUBLIC subnet and will connect public and private subnets.
NAT Instances are user maintained and NAT Gateways (NATGW) are managed by AWS.
One reason for choosing a NAT instance over a NAT gateway would be for updating software running on instances located within a private subnet.
You must disable ec2 setting source /destination check
A NAT Instance must have an Elastic IP (EIP) attached to it
You create a security group in the public subnet for the NAT instance with the EIP. This NAT instance then connects to the private subnet EC2 instance and with that beyond.
NATs change the source ip of the network packets – they rewrite the packet headers that are sent out to the public internet – so the route tables must be configured to route traffic from private subnet to the NAT instance.
so you have internet -> igw in the vpc -> router – connects to the AZ SG EC2 EIP NAT Instance public instance
-> and from there to the private subnets beyond in the same vpc
Pre-configured Amazon AMIs for NAT instance are available but are no longer supported as deprecated.
They are also not highly available, so you have to create an ASG in multi AZ and also deploy your user data script if/as needed.
And you must manage security groups and rules for the instance.
This means for inbound:
allow http/https traffic coming in from private subnets
allow ssh from eg home network via IGW
and for outbound:
allow https/http traffic to the internet
Similar to a NAT Gateway, a NAT Instance has to be located in a public subnet, and a private subnet will need a route to the NAT Instance in order to have internet access.
NAT Gateway (NATGW)
A NAT Gateway is an AWS service that allows a private subnet to access the Internet, but prevents the Internet from initiating a connection directly to the instances.
While a NATGW is required for private subnets to have Internet access, it is created in a public subnet in a specified AZ and uses an Elastic IP (EIP). There is an hourly cost for a NATGW unlike for IGWs or Internet Gateways.
These are different from NAT instances in NATGW is an AWS-managed NAT service, with higher bandwidth and high availability. They have no admin overhead for the user.
Note: A NATGW CANNOT be used by an EC2 instance in the same subnet – only from other subnets!
It requires an IGW: private subnet -> NATGW -> IGW
NATGW has 5gbps bandwidth but with Auto Scaling can reach up to 45gbps
NO security groups are needed to run a NATGW.
NOTE: a NATGW is resilient only within a single AZ, so you have to create multiple NATGWs for multiple AZs for fault tolerance, each one has to be placed in a public subnet in each AZ and then connects to a private subnet within that AZ!
To set up a NATGW, assign a route in the private subnet, in lieu of a route to an IGW or Internet Gateway. Traffic intended for the Internet will flow from the private subnet to the NATGW in the public subnet, and then from there to the IGW or Internet Gateway.
For a PUBLIC subnet to have Internet access, inbound and outbound, an account needs to have:
an Internet Gateway attached to a VPC
a route to the Internet Gateway in the attached route table
Instances must have public IP addresses (either auto-assigned or attached Elastic IP addresses)
an appropriate security group and NACL allowances
For a PRIVATE subnet to have Internet access, the following will provide outbound Internet access but not inbound:
Internet Gateway attached to a VPC
NAT Gateway or Instance in a public subnet in the same VPC
Route to the NAT Gateway or Instance in the private subnet’s attached route table
Appropriate security group and NACL allowances