Merry Christmas AWS fans! The new AWS Managed NAT (Network Address Translation) Gateway is here. While the new NAT Gateway offers lots of obvious advantages, there a couple of things that you’ll want to consider before you terminating those old NAT EC2s.
The new NAT Gateway has redundancy built in for itself, but that won’t deliver the cross-AZ high availability (HA) that you may have had previously. In order to achieve full HA in region, you’ll need at least two NAT Gateways with routes for each AZ’s subnets configured appropriately.
The new NAT Gateway has the normal per hour cost but additionally has a per Gb cost. This should be nominal in some cases, but if your app has a lot of outbound traffic, you’ll need to factor that in.
The new NAT Gateway trades managed ease-of-use for the unlimited functionality of the NAT EC2 Instance. The NAT server sometimes doubles as a Bastion/Jump box. Sometimes it’s where innocuous scripts live or could be a good home for Squid (for extra outbound security). Needless to say, you’ll need to consider whether existing functionality that lives on the NAT can live somewhere else.
The new NAT Gateway will not have a security group attached. This is important because the inbound NAT security group was a quick way to lock the private subnets from making requests to the Internet on non-standard ports. With the move to NAT Gateway, you’ll need to revisit all private subnet security groups and introduce the outbound rules that used to live on the single inbound legacy NAT security group.
All in all, the NAT Gateway continues the drive to make AWS simpler and a more managed service. With the appropriate consideration, this will make your environments more robust and easier to manage. Contact 2nd Watch to learn more.
Coin Graham, Senior Cloud Engineer