AWS NAT – Network Address Translation devices, launched within the public subnet. This allows instances in a private network to connect to the Internet but prevents the Internet’s from initiating connections with them.
Private subnets will require an internet connection to perform software updates and access external services.
The NAT device performs both address translation (PAT), and port address translation (ADT) functions.
Instances cannot be exposed directly to the Internet by NAT instance. They must be launched in Public subnet, assigned the Elastic IP address to all, and then be launched in Elastic subnet.
The traffic is routed from the private subnet to Internet by replacing the source IP address of the traffic with its address. For the response traffic it translates that address back to the instances private IP addresses.
AWS allows NAT configuration to be done in two waysNAT Gateway, managed by AWS
NAT InstanceNAT Gateway
AWS managed NAT services such as NAT gateway provide better availability and higher bandwidth while requiring less administrative effort.
A NAT gateway supports 5Gbps of bandwidth and automatically scales to 100 Gbps. Splitting the workload into multiple subnets and creating a NAT gateway within each subnet can help with higher bursts.
Public NAT gateway is associated to One Elastic IP address that cannot be disassociated after its creation.
Each NAT gateway is installed in a specific Availability Zone.
A NAT gateway supports TCP, UDP and ICMP protocols.
A security group cannot be associated with the NAT gateway. You can configure security for the instances in private subnets to manage traffic.
Network ACL can be used for traffic control to and from the subnet. NACL is applicable to traffic from the NAT gateway, which uses ports 1024-65535
When a NAT gateway is created, it receives an elastic network connection that is automatically assigned a private subnet IP address. This network interface’s attributes cannot be changed
NAT gateways cannot send traffic over VPC connections, VPN connections, AWS Direct Connect or VPC peering links. Modifying the route table for private subnets should be done to route traffic directly to these devices.
If the connection is not active for more than 350 seconds, the NAT gateway will terminate it. To prevent the connection being dropped, increase traffic or enable TCP keepalive for instances with a value below 350 seconds.
NAT gateways do not currently support the IPsec protocol.
A NAT gateway does not pass traffic from an instance within a private subnet to a public internet.
Publicis is the default type
Private subnets may connect to the internet via a public NAT gateway but cannot receive unwelcomed inbound connections.
should be created in a subnet public and must associate an elastic address with the NAT gateway upon creation.
Traffic is routed from the gateway towards the VPC’s internet gateway.
can be used for connecting to other VPCs and the on-premises networks. Traffic is routed from the NAT gateway via a transit gateway, or a virtual private gateway.
PrivateInstances within private subnets may connect to other VPCs and the on-premises network via a private VPN gateway.
Traffic can be routed to the NAT gateway via a transit gateway, or a virtual private gateway.
It is not possible to associate an elastic IP address and a private NAT gateway.
An internet gateway can be attached with a VPC that has a private NAT Gateway. However, if traffic is routed from the private NAT Gateway to the internet gateway, it drops the traffic.NAT Instance
Amazon Linux AMIs can be used to create a NAT instance. These AMIs are designed to route traffic to the Internet.
They are not the same bandwidth and availability, and must be configured according to the application’s needs.