CloudWiki
Resource

NAT Gateway

Amazon Web Services
Network
NAT Gateway is an Amazon Network Address Translation (NAT) service that allows you to connect instances in a private network to external services outside your VPC, while those services can’t initiate a connection to those instances.
Terraform Name
terraform
aws_nat_gateway
NAT Gateway
attributes:
  • allocation_id - (Optional) The Allocation ID of the Elastic IP address for the gateway. Required for connectivity_type of public.
  • connectivity_type - (Optional) Connectivity type for the gateway. Valid values are private and public. Defaults to public.
  • subnet_id - (Required) The Subnet ID of the subnet in which to place the gateway.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
NAT Gateway
Resources do not "belong" to a
NAT Gateway
Rather, one or more Security Groups are associated to a resource.
Create
NAT Gateway
via Terraform:
The following HCL creates a public NAT gateway in the specified subnet and associates the Elastic IP address with the specified allocation ID. When you create a public NAT gateway, you must associate an Elastic IP address
Syntax:

resource "aws_nat_gateway" "example" {
 allocation_id = aws_eip.example.id
 subnet_id     = aws_subnet.example.id

 tags = {
   Name = "gw NAT"
 }

 # To ensure proper ordering, it is recommended to add an explicit dependency
 # on the Internet Gateway for the VPC.
 depends_on = [aws_internet_gateway.example]
}

Create
NAT Gateway
via CLI:
Parameters:

create-nat-gateway
[--allocation-id <value>]
[--client-token <value>]
[--dry-run | --no-dry-run]
--subnet-id <value>
[--tag-specifications <value>]
[--connectivity-type <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-nat-gateway \
   --subnet-id subnet-0250c25a1fEXAMPLE \
   --allocation-id eipalloc-09ad461b0dEXAMPLE

aws cost
Costs
The cost of using NAT Gateway depends on the amount of data processed through it. Basic data transfer costs for NAT Gateway start at $0.045 per GB and decrease as the amount of data processed increases. Additionally, there is an hourly charge for each NAT Gateway that is running.
Direct Cost

NatGateway-Hours

NatGateway-Bytes

DataTransfer-Regional-Bytes

<Region>-<Region>-AWS-Out-Bytes

Indirect Cost
No items found.
Best Practices for
NAT Gateway

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services