What is a NAT Gateway?

A Network Address Translation (NAT) Gateway in AWS is a managed service that enables instances in a private subnet to connect to the internet or other AWS services, while also blocking inbound traffic from the internet. Essentially, it allows your internal network to access external resources without exposing it to the outside world.

When setting up a NAT gateway, you have two options for connectivity:
  1. Public NAT gateway (default): Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet. You must create a public NAT gateway in a public subnet and associate an elastic IP address with it. You can route traffic from the public NAT gateway to the internet gateway for the VPC, or to other VPCs or your on-premises network through a transit gateway or a virtual private gateway.
  2. Private NAT gateway: Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway. You can route traffic from the private NAT gateway through a transit gateway or a virtual private gateway. You cannot associate an elastic IP address with a private NAT gateway. If you attach an internet gateway to a VPC with a private NAT gateway and route traffic from the private NAT gateway to the internet gateway, the internet gateway will drop the traffic.

(https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html)

Key Features

  1. Highly Available and Scalable: AWS NAT Gateway is designed to automatically scale to meet your throughput requirements.
  2. Redundancy: It is deployed in a specific Availability Zone and has built-in redundancy for that zone.
  3. Bandwidth: It can support up to 45 Gbps of bandwidth depending on the instance type.
  4. Automatic IP Port Mapping: NAT Gateway takes care of the IP address and port number translations

How Does It Work?

  1. Creation: Create a NAT Gateway in a specified public subnet.
  2. Elastic IP: Associate an Elastic IP address with the NAT Gateway.
  3. Route Table Configuration: Update the route table associated with your private subnet to point internet-bound traffic to the NAT Gateway.

Use Cases

  1. Web Servers: Allow outbound requests to external APIs while keeping the servers themselves inaccessible from the internet.
  2. Data Fetching: Enable instances in a private subnet to download updates or patches.
  3. Logging and Monitoring: Send logs and metrics to external monitoring services.

Configuration Steps

  1. Go to VPC Dashboard: Navigate to the VPC section in the AWS Management Console.
  2. Create NAT Gateway: Select ‘Create NAT Gateway’ and specify the public subnet and Elastic IP.
  3. Update Route Tables: Modify the route table for your private subnet to add a route pointing to the NAT Gateway.
  4. Test Configuration: Ensure that instances in the private subnet can access the internet.

Best Practices

  1. High Availability: To ensure high availability, consider deploying NAT Gateways in multiple Availability Zones.
  2. Security Groups: While NAT Gateways are not associated with security groups, remember to configure your Network ACLs and security groups for your instances to control traffic.

Cost Considerations

NAT Gateways come with a cost, based on the amount of data processed and the time it is provisioned. Make sure you destroy the resources at the end of this post or at the end of the complete how to deploy wordPress on AWS using terraform.

For the purpose of this tutorial we are going to create 2 public NAT Gateways on the public subnets in the 2 AZs. This will give internet access to our private subnets. Remember public NAT Gateway cannot receive unsolicited inbound connections from the internet.

Before we create the public NAT Gateways we have to create Elastic IP addresses and associate with our NAT Gateways

Update main.tf file and the following code:

resource "aws_eip" "dev-nat_gateway_eip-AZ1" {
  domain = "vpc"

  tags = {
    Name = "dev-nat_gateway_eip-AZ1"
    env  = "dev"
  }
}

resource "aws_eip" "dev-nat_gateway_eip-AZ2" {
  domain = "vpc"

  tags = {
    Name = "dev-nat_gateway_eip-AZ2"
    env  = "dev"
  }
}

next we need create our NAT Gateways:

resource "aws_nat_gateway" "dev-nat-gateway-AZ1" {
  allocation_id     = aws_eip.dev-nat_gateway_eip-AZ1.id
  subnet_id         = aws_subnet.dev-public-subnet-AZ1.id
  connectivity_type = "public"

  tags = {
    Name = "dev-nat-gateway-AZ1"
    env  = "dev"
  }

}

resource "aws_nat_gateway" "dev-nat-gateway-AZ2" {
  allocation_id     = aws_eip.dev-nat_gateway_eip-AZ2.id
  subnet_id         = aws_subnet.dev-public-subnet-AZ2.id
  connectivity_type = "public"

  tags = {
    Name = "dev-nat-gateway-AZ2"
    env  = "dev"
  }

}

Apply changes

terraform apply
Check AWS Console.
Elastic IP Address
NAT Gateways
Current architecture

Remember to destroy resources at the end of the tutorial..

terraform destroy

Previous – Internet Gateway

Next – Route Tables

Categorized in:

AWSCloudNetworkingTechnologyVPC