Managed NAT Gateway: Simplifying Secure AWS Connectivity

Creating and maintaining connectivity for the resources in your private AWS subnets can be tricky and expensive. AWS’ new managed NAT Gateway is a great alternative.

Good news for all the folks working in the AWS VPC environment: the managed NAT gateway is here. I have been working in the AWS cloud for a long time and one of the most common requirements for the applications I’ve deployed is providing Internet connectivity from resources in a VPC’s private subnet. For those unfamiliar with how this works, let me briefly describe it.

Security is (or at least should be) king in AWS cloud, and the most important security tool is a properly designed VPC (Virtual private cloud):

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

For more background on VPCs, take Cloud Academy’s AWS VPC Networking course.
A typical VPC setup is made up of public and private subnets. The EC2 instances deployed in private subnet of VPC cannot access the Internet because you cannot assign them a public IP. But if your application servers, sitting in a private subnet, need to talk to the Internet (to interact with S3 or some third party gateway, for instance), you need NAT (Network Address Translation) to make it happen.
What we used to do is to create a NAT instance in the public subnet of the VPC and open communication with private subnet instances via NAT through VPC Routing tables. So what is the problem? Why are we all so excited about this new Managed NAT Gateway?
Performing this kind of translation at scale can be challenging. Moreover, providing higher availability through more than one NAT instance across two Availability Zones can be expensive. Consider the traditional, two-zone design:
Virtual Private Cloud
Now imagine that one of those NAT instances goes down. You’ll need to have all the automated scripts configured and ready to redirect communication from the private instances within one Availability Zone  to the NAT instance in the other one. And the more instance and AZs you’re running, the more complicated things get.

But using AWS’s new Managed NAT Gateway, things work differently. Instead of configuring, running, monitoring, and scaling a cluster of EC2 NAT instances, it’s a matter of couple of clicks and you are all set. In short, all the configurations that were once the responsibility of the developer or the Ops team, will now be handled invisibly by AWS. Developers can relax just a bit and concentrate more on their application development.

What you need to know about the AWS Managed NAT Gateway

Just as you would with any new AWS features, it only makes sense that we spend some time getting to know each other a bit better. The Managed NAT Gateway…

  • Has built-in redundancy for high availability.
  • Can handle up to 10 Gbps of bursty TCP, UDP, and ICMP traffic, and is managed by Amazon.
  • Can be used in US East (Northern Virginia), US West (Oregon), US West (Northern California), Europe (Ireland), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Tokyo) regions (as of the time of writing).
  • Pricing starts at $0.045 per NAT gateway hour plus data processing and data transfer charges. Refer Amazon VPC pricing to get more details on this.
  • Can be associated with  a Security Group.
  • Can be controlled suing the command line or API.
  • Can be used with VPC flow logs to capture/analyze the traffic flowing through the NAT gateway.
  • Cannot be accessed by a ClassicLink connection associated with your VPC.
  • Cannot send traffic over VPC endpoints, VPN connections, AWS Direct Connect, or VPC peering connections.

Getting Started

Let’s try to see how we can create and configure an AWS NAT Gateway:

  1. Login to the AWS console, select VPC service and click on NAT Gateways as shown below:Managed NAT gateway - dashboard
  2. Provide the necessary details, like subnet and Elastic IP, and create the NAT Gateway. You need the select the subnet which you want to be private subnet and your Elastic IP so that it can communicate to Internet.NAT Gateway - create
  3. Once created you will see this:NAT Gateway - success
  4. Once the NAT Gateway is created you can edit your routing table to send traffic destined for the Internet toward the gateway. The gateway’s internal address will be chosen automatically, and will be in the same subnet as the gateway.

Once the NAT Gateway is configured, you are all set. Your private subnet instances should now be able to communicate with the Internet without much management, monitoring, and configuration overhead.
Sample NAT Gateway architecture: NAT Gateway - design

Migrating from an existing NAT instance

If you are already using a NAT instance in your VPC setup, it’s time to migrate now, and I can tell you that it’s not tough. You only need to make sure that you create the NAT Gateway in the same subnet as your existing NAT instance. Then you need to edit the route table by replacing the existing NAT reference with the  internal address of the new gateway. I told you this was very straightforward. You will need to ensure that you don’t have any critical tasks running at the time of migration, because changing a route from a NAT instance to the gateway can result in a dropped connection.

This feature was only very recently introduced by AWS, so it’s definitely worth sharing. It can resolve lots of existing concerns. Do you have your own experience with this new feature? Why not share it with others.

Avatar

Written by

Vineet Badola

Working as a cloud professional for last 6 years in various organizations, I have experience in three of the most popular cloud platforms, AWS IaaS, Microsoft Azure and Pivotal Cloud Foundry PaaS platform. Having around 10 years of IT experience in various roles and I take great interest in learning and sharing my knowledge on newer technologies. Wore many hats as developer, lead, architect in cloud technologies implementation. During Leisure time I enjoy good soothing music, playing TT and sweating out in Gym. I believe sharing knowledge is my way to make this world a better place.


Related Posts

Vijayakumar Athithan
Vijayakumar Athithan
— March 27, 2020

What is Cognito in AWS?

Web applications usually allow a valid username and password combination for successful sign in to the application. Modern authentication flows incorporate more approaches to ensure user authentication. When using AWS, this is no exception, thanks to the abilities and features offered b...

Read more
  • AWS
  • AWS Cognito
  • Solutions Architect
Connie Benton
Connie Benton
— March 25, 2020

How To Build a Career with AWS Certifications

From Iaas and PaaS solutions to digital marketing, cloud computing reshapes the world of technology. As the influence of this technology grows, so does investment. Tens of billions of dollars are being spent on cloud computing-related services each year. This influx is continuing to inc...

Read more
  • AWS
  • Certifications
Avatar
Andrew Larkin
— March 20, 2020

The 12 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Cloud Academy Team
— March 13, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— March 7, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— March 6, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Patrick Navarro
Patrick Navarro
— March 4, 2020

AWS Certifications: How Do They Increase Your Employability and Progress Your Career?

AWS certifications are no walk in the park. They’re designed to validate in-depth, specialist knowledge and comprehensive experience, often requiring months of dedicated studying to earn even for those already working with the cloud platform. But the rewards that AWS professionals ca...

Read more
  • AWS
  • AWS certification
  • certification
Avatar
Chandan Patra
— February 21, 2020

Elasticsearch vs. CloudSearch: AWS Cloud Search Choices

Elasticsearch vs. CloudSearch: What's the main difference? Let's compare AWS-based cloud tools: Elasticsearch vs. CloudSearch. While both services use proven technologies, Elasticsearch is more popular, open source, and has a flexible API to use for customization; in comparison, CloudS...

Read more
  • AWS
  • Azure
  • cloudsearch
  • elasticsearch
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning
Alisha Reyes
Alisha Reyes
— February 7, 2020

New on Cloud Academy: Git Labs, CKA and CKAD Lab Challenges, AWS and Azure Learning Paths, AGILE, and Much More

We just kicked off our first Free Weekend of 2020. This means we've unlocked our Training Library for just 72 hours. Until Sunday at 11:59 pm (PST), you can get unlimited access to our industry-leading learning paths, courses, certification prep exams, and our most popular hands-on labs...

Read more
  • agile
  • AWS
  • Azure
  • Google Cloud Platform
  • Linux
  • OWASP
  • programming
  • red hat
  • scrum
Avatar
Stuart Scott
— February 6, 2020

How to Encrypt an EBS Volume

Keeping data and applications safe in the cloud is one of the most visible challenges facing cloud teams in 2020. Cloud storage services where data resides are frequently a target for hackers, not because the services are inherently weak but because they are often improperly configured....

Read more
  • AWS
  • EBS
  • Encryption