What is NAT Gateways?
It is abbreviated word for Network Address Translation Gateway. It is used to provide network connectivity from private subnet to the internet or other AWS services, now allowing the internet to make a connectivity to instances in the private subnet.
Console to manage NAT Gateway is under VPC Dashboard as below picture.
When you create an NAT Gateway, you are supposed to choose a subnet in the VPC and assign an Elastic IP.
when you are done with creating a NAT Gateway, please note that you need to make sure to include a route with the created NAT Gateway.
Go to the route table that is associated with the subnet where the created NAT Gateway is located, and add a route so that then when the traffic is destined for 0.0.0.0/0, it should target at the NAT Gateway you created by providing the ID of it.
Here are some prerequisites for NAT Gateway to work properly.
- the NAT Gateway should reside in public subnet where its associated route table has a route that sends traffic for the internet to Internet Gateway.
- An elastic IP should be allocated to the NAT Gateway you are trying to create as you can see in the steps above.
Limitations and Precautions
- The elastic IP that has been associated with an NAT Gateway cannot be changed.
- Each NAT Gateway should be created in a specific availability zone, and if possible with redundancy in the zone with max number limitation per zone — 5, in order to prevent any downtime because of single NAT Gateway failure.
- A NAT gateway supports 5 Gbps of bandwidth with maximum autoscale up to 45 Gbps. Otherwise, you can distribute the workload to multiple NAT gateways with redundancy in each subnet.
- One Elastic IP maps to one NAT Gateway, and not disassociable or modifiable afterwards.
- A NAT gateway supports the following protocols: TCP, UDP, and ICMP.
- You can use a network ACL to control the traffic to and from the subnet in which the NAT gateway is located. The network ACL applies to the NAT gateway’s traffic. A NAT gateway uses ports 1024–65535. For more information, see Network ACLs.
- When a NAT gateway is created, it receives a network interface that’s automatically assigned a private IP address from the IP address range of your subnet. You can view the NAT gateway’s network interface in the Amazon EC2 console. For more information, see Viewing Details about a Network Interface. You cannot modify the attributes of this network interface.
- A NAT gateway cannot be accessed by a ClassicLink connection associated with your VPC.
- A NAT gateway support up to 55,000 simultaneous connections to each unique destination. This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors. These errors can be monitored by viewing the
ErrorPortAllocationCloudWatch metric for your NAT gateway. For more information, see Monitoring NAT Gateways Using Amazon CloudWatch.
