NAT as a Service: Amazon's Managed VPC NAT Gateway for AWS

By CIOReview | Tuesday, December 29, 2015

FREMONT, CA: Amazon announces that it is adding managed Network Address Translation (NAT) Gateway to Virtual Private Cloud to automatically create NAT gateways for AWS VPNs without having to spin up EC2 (elastic compute cloud) instances manually.

The network address translation (NAT) gateway enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances.

The gateway can automatically scale and has built-in redundancy for high availability. Each gateway created can handle up to 10 Gbps of bursty TCP, UDP, and ICMP traffic, and is managed by Amazon. It enables control over the public IP address by assigning an Elastic IP Address when the gateway is created.

The gateway can connect to the internet from instances within a private subnet in an AWS Virtual Private Cloud (VPC).  Previously, a NAT instance is supposed to be launched to enable NAT for instances in a private subnet.

The gateway’s internal (private) IP address will be chosen automatically, and will be on the subnet associated with the gateway. After creating an IP address, the VPC’s route tables need to be updated to send traffic destined for the internet toward the gateway. The association cannot be changed after creating the NAT gateway.

The VPC Flow Logs can be used to capture the traffic flowing through the gateway, and then the information in the logs can be used to create CloudWatch metrics based on packets, bytes, and protocols.

A security group cannot be associated with a NAT gateway. Instead security groups can be used for instances in the private subnets to control the traffic to and from those instances. A NAT gateway cannot be accessed by a ClassicLink connection associated with the VPC.

A network ACL can be used to control the traffic to and from the subnet in which the NAT gateway is located. The network ACL applies to the NAT gateway's traffic.

When a NAT gateway is created, it receives an elastic network interface that's automatically assigned a private IP address from the IP address range of the subnet. The NAT gateway's network interface can be viewed in the Amazon EC2 console.

The main route table sends Internet traffic from the instances in the private subnet to the NAT gateway. The NAT gateway sends the traffic to the Internet gateway using the NAT gateway’s Elastic IP address as the source IP address.

The NAT gateway can be managed by AWS so there is no need to perform additional maintenance. The software is optimized for handling NAT traffic.