AWS-ANS-C01 & AWS CERTIFICATION | NAT Gateways and Egress-Only Internet Gateways - AWS Certified Advanced Networking

2.1.2. NAT Gateways and Egress-Only Internet Gateways

NAT Gateways and Egress-Only Internet Gateways provide secure, outbound-only internet connectivity for instances in private subnets, ensuring security while enabling necessary updates and communication.

Scenario: You have application servers in a private IPv4 subnet that need to download software updates from the internet. You also have some new applications using IPv6 in private subnets that require outbound internet access. Neither should be publicly accessible.

Instances deployed in private subnets do not have direct internet access. However, they often need to initiate outbound connections for software updates, external API calls, or to download patches.

Key Concepts:

NAT Gateway (Network Address Translation): A highly available, managed Network Address Translation (NAT) service.
- Purpose: Allows instances in private IPv4 subnets to connect to the internet or other AWS services outside the VPC (e.g., DynamoDB, Kinesis) through the NAT Gateway's public IP address.
- Traffic Flow: Inbound connections from the internet are blocked.
- Deployment: Resides in a public subnet and uses an Elastic IP address. Traffic from private subnets is routed to the NAT Gateway via the private subnet's route table.
- High Availability: Highly available within its Availability Zone. For Multi-AZ deployments, deploy a NAT Gateway in each public subnet associated with a private subnet.
Egress-Only Internet Gateway: A VPC component that allows outbound-only communication over IPv6 from instances in private subnets to the internet.
- Purpose: The IPv6 equivalent of a NAT Gateway for private subnets. Allows IPv6 traffic to go out but prevents it from coming in.
- Deployment: Attached to the VPC, and route tables for private IPv6 subnets are configured to send outbound IPv6 traffic to it.

Practical Implementation: Configuring a Private Subnet Route Table for NAT Gateway

# Assuming PRIVATE_SUBNET_ID and NAT_GATEWAY_ID are already defined
# 1. Create a new route table for the private subnet (if not using default)
PRIVATE_ROUTE_TABLE_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --query RouteTable.RouteTableId --output text)
echo "Private Route Table ID: $PRIVATE_ROUTE_TABLE_ID"

# 2. Add a default route (0.0.0.0/0) to the NAT Gateway in the private route table
aws ec2 create-route --route-table-id $PRIVATE_ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 --nat-gateway-id $NAT_GATEWAY_ID

# 3. Associate the private subnet with this route table
aws ec2 associate-route-table --subnet-id $PRIVATE_SUBNET_ID --route-table-id $PRIVATE_ROUTE_TABLE_ID

⚠️ Common Pitfall: Placing a NAT Gateway in a private subnet. A NAT Gateway must be placed in a public subnet to have a route to the Internet Gateway, which it needs to function.

Key Trade-Offs:

Security vs. Cost: NAT Gateways provide enhanced security by preventing inbound connections but incur costs based on hourly usage and data processing.

Reflection Question: How do NAT Gateways (for IPv4) and Egress-Only Internet Gateways (for IPv6) provide secure, outbound-only internet connectivity for instances in private subnets, ensuring necessary communication while maintaining network isolation and security?