Creating and maintaining connectivity for the resources in your private AWS subnets can be tricky and expensive. AWS’ new managed NAT Gateway is a great alternative.
Good news for all the folks working in the AWS VPC environment: the managed NAT gateway is here. I have been working in the AWS cloud for a long time and one of the most common requirements for the applications I’ve deployed is providing Internet connectivity from resources in a VPC’s private subnet. For those unfamiliar with how this works, let me briefly describe it.
Security is (or at least should be) king in AWS cloud, and the most important security tool is a properly designed VPC (Virtual private cloud):
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
For more background on VPCs, take Cloud Academy’s AWS VPC Networking course.
A typical VPC setup is made up of public and private subnets. The EC2 instances deployed in private subnet of VPC cannot access the Internet because you cannot assign them a public IP. But if your application servers, sitting in a private subnet, need to talk to the Internet (to interact with S3 or some third party gateway, for instance), you need NAT (Network Address Translation) to make it happen.
What we used to do is to create a NAT instance in the public subnet of the VPC and open communication with private subnet instances via NAT through VPC Routing tables. So what is the problem? Why are we all so excited about this new Managed NAT Gateway?
Performing this kind of translation at scale can be challenging. Moreover, providing higher availability through more than one NAT instance across two Availability Zones can be expensive. Consider the traditional, two-zone design:
Now imagine that one of those NAT instances goes down. You’ll need to have all the automated scripts configured and ready to redirect communication from the private instances within one Availability Zone to the NAT instance in the other one. And the more instance and AZs you’re running, the more complicated things get.
But using AWS’s new Managed NAT Gateway, things work differently. Instead of configuring, running, monitoring, and scaling a cluster of EC2 NAT instances, it’s a matter of couple of clicks and you are all set. In short, all the configurations that were once the responsibility of the developer or the Ops team, will now be handled invisibly by AWS. Developers can relax just a bit and concentrate more on their application development.
What you need to know about the AWS Managed NAT Gateway
Just as you would with any new AWS features, it only makes sense that we spend some time getting to know each other a bit better. The Managed NAT Gateway…
- Has built-in redundancy for high availability.
- Can handle up to 10 Gbps of bursty TCP, UDP, and ICMP traffic, and is managed by Amazon.
- Can be used in US East (Northern Virginia), US West (Oregon), US West (Northern California), Europe (Ireland), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Tokyo) regions (as of the time of writing).
- Pricing starts at $0.045 per NAT gateway hour plus data processing and data transfer charges. Refer Amazon VPC pricing to get more details on this.
- Can be associated with a Security Group.
- Can be controlled suing the command line or API.
- Can be used with VPC flow logs to capture/analyze the traffic flowing through the NAT gateway.
- Cannot be accessed by a ClassicLink connection associated with your VPC.
- Cannot send traffic over VPC endpoints, VPN connections, AWS Direct Connect, or VPC peering connections.
Let’s try to see how we can create and configure an AWS NAT Gateway:
- Login to the AWS console, select VPC service and click on NAT Gateways as shown below:
- Provide the necessary details, like subnet and Elastic IP, and create the NAT Gateway. You need the select the subnet which you want to be private subnet and your Elastic IP so that it can communicate to Internet.
- Once created you will see this:
- Once the NAT Gateway is created you can edit your routing table to send traffic destined for the Internet toward the gateway. The gateway’s internal address will be chosen automatically, and will be in the same subnet as the gateway.
Once the NAT Gateway is configured, you are all set. Your private subnet instances should now be able to communicate with the Internet without much management, monitoring, and configuration overhead.
Sample NAT Gateway architecture:
Migrating from an existing NAT instance
If you are already using a NAT instance in your VPC setup, it’s time to migrate now, and I can tell you that it’s not tough. You only need to make sure that you create the NAT Gateway in the same subnet as your existing NAT instance. Then you need to edit the route table by replacing the existing NAT reference with the internal address of the new gateway. I told you this was very straightforward. You will need to ensure that you don’t have any critical tasks running at the time of migration, because changing a route from a NAT instance to the gateway can result in a dropped connection.
This feature was only very recently introduced by AWS, so it’s definitely worth sharing. It can resolve lots of existing concerns. Do you have your own experience with this new feature? Why not share it with others.
Top 5 AWS Salary Report Findings
At the speed the cloud tech space is developing, it can be hard to keep track of everything that’s happening within the AWS ecosystem. Advances in technology prompt smarter functionality and innovative new products, which in turn give rise to new job roles that have a ripple effect on t...
New on Cloud Academy: Red Hat, Agile, OWASP Labs, Amazon SageMaker Lab, Linux Command Line Lab, SQL, Git Labs, Scrum Master, Azure Architects Lab, and Much More
Happy New Year! We hope you're ready to kick your training in overdrive in 2020 because we have a ton of new content for you. Not only do we have a bunch of new courses, hands-on labs, and lab challenges on AWS, Azure, and Google Cloud, but we also have three new courses on Red Hat, th...
Cloud Academy’s Blog Digest: Azure Best Practices, 6 Reasons You Should Get AWS Certified, Google Cloud Certification Prep, and more
Happy Holidays from Cloud Academy We hope you have a wonderful holiday season filled with family, friends, and plenty of food. Here at Cloud Academy, we are thankful for our amazing customer like you. Since this time of year can be stressful, we’re sharing a few of our latest article...
Google Cloud Platform Certification: Preparation and Prerequisites
Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2019, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the second consecuti...
New Lab Challenges: Push Your Skills to the Next Level
Build hands-on experience using real accounts on AWS, Azure, Google Cloud Platform, and more Meaningful cloud skills require more than book knowledge. Hands-on experience is required to translate knowledge into real-world results. We see this time and time again in studies about how pe...
New on Cloud Academy: AWS Solution Architect Lab Challenge, Azure Hands-on Labs, Foundation Certificate in Cyber Security, and Much More
Now that Thanksgiving is over and the craziness of Black Friday has died down, it's now time for the busiest season of the year. Whether you're a last-minute shopper or you already have your shopping done, the holidays bring so much more excitement than any other time of year. Since our...
Understanding Enterprise Cloud Migration
What is enterprise cloud migration? Cloud migration is about moving your data, applications, and even infrastructure from your on-premises computers or infrastructure to a virtual pool of on-demand, shared resources that offer compute, storage, and network services at scale. Why d...
6 Reasons Why You Should Get an AWS Certification This Year
In the past decade, the rise of cloud computing has been undeniable. Businesses of all sizes are moving their infrastructure and applications to the cloud. This is partly because the cloud allows businesses and their employees to access important information from just about anywhere. ...
AWS Regions and Availability Zones: The Simplest Explanation You Will Ever Find Around
The basics of AWS Regions and Availability Zones We’re going to treat this article as a sort of AWS 101 — it’ll be a quick primer on AWS Regions and Availability Zones that will be useful for understanding the basics of how AWS infrastructure is organized. We’ll define each section,...
Application Load Balancer vs. Classic Load Balancer
What is an Elastic Load Balancer? This post covers basics of what an Elastic Load Balancer is, and two of its examples: Application Load Balancers and Classic Load Balancers. For additional information — including a comparison that explains Network Load Balancers — check out our post o...
Advantages and Disadvantages of Microservices Architecture
What are microservices? Let's start our discussion by setting a foundation of what microservices are. Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs). ...
Kubernetes Services: AWS vs. Azure vs. Google Cloud
Kubernetes is a popular open-source container orchestration platform that allows us to deploy and manage multi-container applications at scale. Businesses are rapidly adopting this revolutionary technology to modernize their applications. Cloud service providers — such as Amazon Web Ser...