EU-Vietnam Business Network (EVBN) > Noindex > NAT gateways – Amazon Virtual Private Cloud

NAT gateways – Amazon Virtual Private Cloud

NAT gateways

A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway
so that instances in a private subnet can connect to services outside your VPC but external
services cannot initiate a connection with those instances.

When you create a NAT gateway, you specify one of the following connectivity types:

  • Public – (Default)
    Instances in private subnets can connect to the internet through a public NAT gateway, but
    cannot receive unsolicited inbound connections from the internet. You create a public NAT
    gateway in a public subnet and must associate an elastic IP address with the NAT gateway
    at creation. You route traffic from the NAT gateway to the internet gateway for the VPC.
    Alternatively, you can use a public NAT gateway to connect to other VPCs or your on-premises
    network. In this case, you route traffic from the NAT gateway through a transit gateway or a
    virtual private gateway.

  • Private
    Instances in private subnets can connect to other VPCs or your on-premises network through
    a private NAT gateway. You can route traffic from the NAT gateway through a transit gateway
    or a virtual private gateway. You cannot associate an elastic IP address with a private NAT
    gateway. You can attach an internet gateway to a VPC with a private NAT gateway, but if you
    route traffic from the private NAT gateway to the internet gateway, the internet gateway
    drops the traffic.

The NAT gateway replaces the source IP address of the instances with the IP address of the
NAT gateway. For a public NAT gateway, this is the elastic IP address of the NAT gateway. For a
private NAT gateway, this is the private IPv4 address of the NAT gateway. When sending response
traffic to the instances, the NAT device translates the addresses back to the original source IP
address.

Pricing

When you provision a NAT gateway, you are charged for each hour that your NAT gateway is
available and each Gigabyte of data that it processes. For more information, see Amazon VPC Pricing.

The following strategies can help you reduce the data transfer charges for your NAT gateway:

  • If your AWS resources send or receive a significant volume of traffic across
    Availability Zones, ensure that the resources are in the same Availability Zone as the NAT
    gateway, or create a NAT gateway in the same Availability Zone as the resources.

  • If most traffic through your NAT gateway is to AWS services that support interface
    endpoints or gateway endpoints, consider creating an interface endpoint or gateway endpoint
    for these services. For more information about the potential cost savings, see AWS PrivateLink pricing.

NAT gateway basics

Each NAT gateway is created in a specific Availability Zone and implemented with
redundancy in that zone. There is a quota on the number of NAT gateways that you can
create in each Availability Zone. For more information, see Amazon VPC quotas.

If you have resources in multiple Availability Zones and they share one NAT gateway, and if
the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose
internet access. To create an Availability Zone-independent architecture, create a NAT
gateway in each Availability Zone and configure your routing to ensure that resources use
the NAT gateway in the same Availability Zone.

The following characteristics and rules apply to NAT gateways:

  • A NAT gateway supports the following protocols: TCP, UDP, and ICMP.

  • NAT gateways are supported for IPv4 or IPv6 traffic. For IPv6 traffic, NAT gateway performs NAT64.
    By using this in conjunction with DNS64 (available on Route 53 resolver), your IPv6 workloads in a subnet in Amazon VPC can
    communicate with IPv4 resources. These IPv4 services may be present in the same VPC (in a separate subnet) or a different VPC,
    on your on-premises environment or on the internet.

  • A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to
    100 Gbps. If you require more bandwidth, you can split your resources into multiple
    subnets and create a NAT gateway in each subnet.

  • A NAT gateway can process one million packets per second and automatically scales up
    to ten million packets per second. Beyond this limit, a NAT gateway will drop packets. To
    prevent packet loss, split your resources into multiple subnets and create a separate NAT
    gateway for each subnet.

  • Each IPv4 address can support up to 55,000 simultaneous connections to each unique
    destination. A unique destination is identified by a unique combination of destination IP
    address, the destination port, and protocol (TCP/UDP/ICMP). You can increase this limit by
    associating up to 8 IPv4 addresses to your NAT Gateways (1 primary IPv4 address and 7
    secondary IPv4 addresses). You are limited to associating 2 Elastic IP addresses to your
    public NAT gateway by default. You can increase this limit by requesting a quota
    adjustment. For more information, see Elastic IP addresses.

  • You can pick the private IPv4 address to assign to the NAT gateway or have it
    automatically assigned from the IPv4 address range of the subnet. The assigned private
    IPv4 address persists until you delete the private NAT gateway. You cannot detach the
    private IPv4 address and you cannot attach additional private IPv4 addresses.

  • You cannot associate a security group with a NAT gateway. You can associate
    security groups with your instances to control inbound and outbound traffic.

  • You can use a network ACL to control the traffic to and from the subnet for
    your NAT gateway. NAT gateways use ports 1024–65535. For more information, see
    Control traffic to subnets using Network ACLs.

  • A NAT gateway receives a network interface. You can pick the private IPv4 address to
    assign to the interface or have it automatically assigned from the IPv4 address range of
    the subnet. You can view the network interface for the NAT gateway using the Amazon EC2
    console. For more information, see Viewing details about a network
    interface. You cannot modify the attributes of this network interface.

  • A NAT gateway cannot be accessed through a ClassicLink connection that is
    associated with your VPC.

  • You cannot route traffic to a NAT gateway through a VPC peering
    connection, a Site-to-Site VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by
    resources on the other side of these connections.

Control the use of NAT gateways

By default, users do not have permission to work with NAT gateways. You can create
an IAM role with a policy attached that grants users permissions to create, describe, and delete NAT gateways.
For more information, see Identity and access management for Amazon VPC.

Work with NAT gateways

You can use the Amazon VPC console to create and manage your NAT gateways.

Create a NAT gateway

Complete the steps in this section to create a NAT gateway.

Note

  • You won’t be able to create a public NAT gateway if you’ve exhausted the number of EIPs
    allocated to your account. For more information on EIP quotas and how to adjust them, see
    Elastic IP addresses.

  • You can assign up to 8 private IPv4 addresses to your private NAT Gateway. You are limited to
    associating 2 Elastic IP addresses to your public NAT gateway by default. You can
    increase this limit by requesting a quota adjustment. For more information, see Elastic IP addresses.

To create a NAT gateway

  1. Open the Amazon VPC console at
    https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose NAT gateways.

  3. Choose Create NAT gateway.

  4. (Optional) Specify a name for the NAT gateway. This creates a tag where the key
    is Name and the value is the name that you specify.

  5. Select the subnet in which to create the NAT gateway.

  6. For Connectivity type, leave the default
    Public selection to create a public NAT gateway or choose
    Private to create a private NAT gateway. For more information about the difference between a public and private NAT gateway, see NAT gateways.

  7. If you chose Private, skip this step and continue
    with Step 8. If you chose Public, do the following:

    1. Choose an Elastic IP allocation ID to assign an
      EIP to the NAT gateway or choose Allocate Elastic IP to
      automatically allocate an EIP for the public NAT gateway. You are limited to
      associating 2 Elastic IP addresses to your public NAT gateway by default. You can
      increase this limit by requesting a quota adjustment. For more information, see
      Elastic IP addresses.

    2. (Optional) Choose Additional settings and, under Private IP address – optional, enter a private IPv4 address
      for the NAT gateway. If you don’t enter an address, AWS will automatically assign a private IPv4 address to your NAT gateway at random from the subnet that your NAT gateway is in.

    3. Skip to step 11.

  8. If you chose Private, choose Additional settings, and then under Private IP
    address assigning method    , choose one of the following:

    • Auto-assign: AWS automatically chooses a primary private
      IPv4 address and you choose if you want AWS to assign up to 7 secondary private
      IPv4 addresses to assign to the NAT gateway. AWS automatically chooses and assigns
      them for you at random from the subnet that your NAT gateway is in.

    • Custom: Choose the primary private IPv4 address and up to 7
      secondary private IPv4 addresses to assign to the NAT gateway.

  9. If you chose Custom in Step 8, skip this step. If you
    chose Auto-assign, under Number
    of auto-assigned private IP addresses    , choose the number of secondary IPv4
    addresses that you want AWS assign to this private NAT gateway. You can choose up to 7
    IPv4 addresses.

    Note

    Secondary IPv4 addresses are optional and should be assigned or allocated when
    your workloads that use a NAT Gateway exceed 55,000 concurrent connections to a single
    destination (the same destination IP, destination port, and protocol). Secondary IPv4
    addresses increase the number of available ports, and therefore they increase the
    limit on the number of concurrent connections that your workloads can establish using
    a NAT Gateway.

  10. If you chose Auto-assign in Step 9, skip this step.
    If you chose Custom, do the following:

    1. Under Primary private IPv4 address, enter a private IPv4
      address.

    2. Under Secondary private IPv4 address, enter up to 7 secondary
      private IPv4 addresses.

      Note

      Secondary IPv4 addresses are optional and should be assigned or allocated when
      your workloads that use a NAT Gateway exceed 55,000 concurrent connections to a
      single destination (the same destination IP, destination port, and protocol).
      Secondary IPv4 addresses increase the number of available ports, and therefore
      they increase the limit on the number of concurrent connections that your
      workloads can establish using a NAT Gateway.

  11. (Optional) To add a tag to the NAT gateway, choose Add new
    tag     and enter the key name and value. You can add up to 50 tags.

  12. Choose Create a NAT gateway.

  13. The initial status of the NAT gateway is Pending. After the status
    changes to Available, the NAT gateway is ready for you to use. Be sure to
    update your route tables as needed. For examples, see NAT gateway use cases.

If the status of the NAT gateway changes to Failed, there was an error
during creation. For more information, see NAT gateway creation fails.

Edit secondary IP address associations

Each IPv4 address can support up to 55,000 simultaneous connections to each unique
destination. A unique destination is identified by a unique combination of destination IP
address, the destination port, and protocol (TCP/UDP/ICMP). You can increase this limit by
associating up to 8 IPv4 addresses to your NAT Gateways (1 primary IPv4 address and 7
secondary IPv4 addresses). You are limited to associating 2 Elastic IP addresses to your
public NAT gateway by default. You can increase this limit by requesting a quota adjustment.
For more information, see Elastic IP addresses.

You can use the NAT gateway CloudWatch
metrics
ErrorPortAllocation and PacketsDropCount to determine if your NAT gateway is generating port
allocation errors or dropping packets. To resolve this issue, add secondary IPv4 addresses
to your NAT gateway.

Note

  • You can add secondary private IPv4 addresses when you create a private NAT gateway or after
    you create the NAT gateway using the procedure in this section. You can add secondary
    EIP addresses to public NAT gateways only after you create the NAT gateway by using
    the procedure in this section.

  • Your NAT gateway can have up to 8 IPv4 addresses associated with it (1 primary IPv4 address
    and 7 secondary IPv4 addresses). You can assign up to 8 private IPv4 addresses to your
    private NAT Gateway. You are limited to associating 2 Elastic IP addresses to your
    public NAT gateway by default. You can increase this limit by requesting a quota
    adjustment. For more information, see Elastic IP addresses.

To edit secondary IPv4 address associations

  1. Open the Amazon VPC console at
    https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose NAT gateways.

  3. Select the NAT gateway whose secondary IPv4 address associations you want to
    edit.

  4. Choose Actions, and then choose Edit secondary IP address associations.

  5. If you are editing the secondary IPv4 address associations of a private NAT gateway,
    under Action, choose Assign new
    IPv4 addresses     or Unassign existing IPv4
    addresses    . If you are editing the secondary IPv4 address associations of a
    public NAT gateway, under Action, choose Associate new IPv4 addresses or Disassociate existing IPv4 addresses.

  6. Do one of the following:

    • If you chose to assign or associate new IPv4 addresses, do the following:

      1. This step is required. You must select a private IPv4 address. Choose the
        Private IPv4 address assigning method:

        • Auto-assign: AWS automatically
          chooses a primary private IPv4 address and you choose if you want AWS to
          assign up to 7 secondary private IPv4 addresses to assign to the NAT
          gateway. AWS automatically chooses and assigns them for you at random from
          the subnet that your NAT gateway is in.

        • Custom: Choose the primary private IPv4
          address and up to 7 secondary private IPv4 addresses to assign to the NAT
          gateway.

      2. Under Elastic IP allocation ID, choose an
        EIP to add as a secondary IPv4 address. This step is required. You must select
        an EIP along with a private IPv4 address. If you chose Custom for the Private IP address assigning
        method        , you also must enter a private IPv4 address for each EIP
        that you add.

      Your NAT gateway can have up to 8 IP addresses associated with it. If this is a
      public NAT gateway, there is a default quota limit for EIPs per Region. For more
      information, see Elastic IP addresses.

    • If you chose to unassign or disassociate new IPv4 addresses, complete the following:

      1. Under Existing secondary IP address to unassign, select the
        secondary IP addresses that you want to unassign.

      2. (optional) Under Connection drain duration, enter the maximum
        amount of time to wait (in seconds) before forcibly releasing the IP addresses
        if connections are still in progress. If you don’t enter a value, the default
        value is 350 seconds.

  7. Choose Save changes.

If the status of the NAT gateway changes to Failed, there was an error
during creation. For more information, see NAT gateway creation fails.

Tag a NAT gateway

You can tag your NAT gateway to help you identify it or categorize it according to your
organization’s needs. For information about working with tags, see Tagging your Amazon EC2 resources in the
Amazon EC2 User Guide for Linux Instances.

Cost allocation tags are supported for NAT gateways. Therefore, you can also use tags to
organize your AWS bill and reflect your own cost structure. For more information, see
Using cost allocation tags
in the AWS Billing User Guide. For more information about setting up a
cost allocation report with tags, see Monthly cost allocation
report in About AWS Account Billing.

To tag a NAT gateway

  1. Open the Amazon VPC console at
    https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose NAT Gateways.

  3. Select the NAT gateway that you want to tag and choose Actions. Then choose Manage tags.

  4. Choose Add new tag, and define a Key and Value for the tag. You
    can add up to 50 tags.

  5. Choose Save.

Delete a NAT gateway

If you no longer need a NAT gateway, you can delete it. After you delete a NAT
gateway, its entry remains visible in the Amazon VPC console for about an hour, after
which it’s automatically removed. You cannot remove this entry yourself.

Deleting a NAT gateway disassociates its Elastic IP address, but does not release
the address from your account. If you delete a NAT gateway, the NAT gateway routes
remain in a blackhole status until you delete or update the routes.

To delete a NAT gateway

  1. Open the Amazon VPC console at
    https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose NAT Gateways.

  3. Select the radio button for the NAT gateway, and then choose
    Actions, Delete NAT gateway.

  4. When prompted for confirmation, enter delete and then
    choose Delete.

  5. If you no longer need the Elastic IP address that was associated with a public
    NAT gateway, we recommend that you release it. For more information, see
    Release an Elastic IP address.

API and CLI overview

You can perform the tasks described on this page using the command line or API. For more
information about the command line interfaces and a list of available API operations, see
Working with Amazon VPC.

Assign a private IPv4 address to a private NAT gateway

  • assign-private-nat-gateway-address (AWS CLI)

  • Register-EC2PrivateNatGatewayAddress (AWS Tools for Windows PowerShell)

  • AssignPrivateNatGatewayAddress (Amazon EC2 Query API)

Associate Elastic IP addresses (EIPs) and private IPv4 addresses with a public NAT gateway

  • associate-nat-gateway-address (AWS CLI)

  • Register-EC2NatGatewayAddress (AWS Tools for Windows PowerShell)

  • AssociateNatGatewayAddress (Amazon EC2 Query API)

Create a NAT gateway

  • create-nat-gateway (AWS CLI)

  • New-EC2NatGateway (AWS Tools for Windows PowerShell)

  • CreateNatGateway (Amazon EC2 Query API)

Delete a NAT gateway

  • delete-nat-gateway (AWS CLI)

  • Remove-EC2NatGateway (AWS Tools for Windows PowerShell)

  • DeleteNatGateway (Amazon EC2 Query API)

Describe a NAT gateway

  • describe-nat-gateways (AWS CLI)

  • Get-EC2NatGateway (AWS Tools for Windows PowerShell)

  • DescribeNatGateways (Amazon EC2 Query API)

Disassociate secondary Elastic IP addresses (EIPs) from a public NAT gateway

  • disassociate-nat-gateway-address (AWS CLI)

  • Unregister-EC2NatGatewayAddress (AWS Tools for Windows PowerShell)

  • DisassociateNatGatewayAddress (Amazon EC2 Query API)

Tag a NAT gateway

  • create-tags (AWS CLI)

  • New-EC2Tag (AWS Tools for Windows PowerShell)

  • CreateTags (Amazon EC2 Query API)

Unassign secondary IPv4 addresses from a private NAT gateway

  • unassign-private-nat-gateway-address (AWS CLI)

  • Unregister-EC2PrivateNatGatewayAddress (AWS Tools for Windows PowerShell)

  • UnassignPrivateNatGatewayAddress (Amazon EC2 Query API)

Bài viết liên quan
Bài viết mới
Thể Thao nổi bật