NAT Instances and NAT Gateways

NAT instances

NAT instances are managed by you. They are used to enable private subnet instances to access the Internet.

A NAT instance must live on a single public subnet with a route to an Internet gateway. Private instances in private subnets must have a route to the NAT instance, usually the default route destination of 0.0.0.0/0.

NAT instances need to be assigned to security groups. Security groups for NAT instances must allow HTTP/HTTPS inbound from the private subnet and outbound to 0.0.0.0/0. There needs to be a route from a private subnet to the NAT instance for it to work.

• When creating NAT instances, always disable the source/destination check on the instance.
• The amount of traffic a NAT instance can support is based on the instance type.
• A NAT instance can be used as a bastion (jump) host.
• It can monitor traffic metrics.

HA

• Using a NAT instance can lead to bottlenecks (not HA).
• HA can be achieved by using Auto Scaling groups, multiple subnets in different AZs, and a script to automate failover.

Performance

• Performance is dependent on instance size.
• Nat instances can scale up instance size or use enhanced networking.
• Nat instances can scale out by using multiple NATs in multiple subnets.

Watch out!

NAT instances are not supported for IPv6 (use egress-only Internet gateway).