Login/Register
Can a single NAT Gateway span across multiple AZ?
Asked Answered
Solved amazon-web-servicesamazon-vpcnataws-nat-gateway
C

1

19

When I configure a NAT Gateway, I will have to select a subnet, hence to my understanding, one NAT Gateway for one Subnet which falls under one Availability Zones.

Then I saw the below statement

If you have resources in multiple Availability Zones and they share one NAT gateway, in the event that the NAT gateway's Availability Zone is down, resources in the other Availability Zones lose internet access, To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.

If I have multiple EC2 in different subnets, how do they share a single NAT Gateway? Did I understand wrongly? Below is the screenshot I see when I try to create a NAT Gateway

enter image description here

Curvy answered 30/12, 2019 at 4:0 Comment(0)
S
58

A NAT Gateway connects to a specific Subnet, and a Subnet is in a specific Availability Zone.

Amazon EC2 instances in private subnets can use a NAT Gateway as follows:

  • The NAT Gateway is launched in a public subnet in the same VPC
  • The Route Table for the private subnet(s) require an additional entry that directs all Internet-bound traffic (0.0.0.0/0) to the NAT Gateway

Depending upon your appetite for risk, you might configure things differently.

Case 1: One public subnet, one private subnet in same AZ

  • The NAT Gateway goes into the public subnet
  • The EC2 Instances go into the private subnet
  • The Route Table for the private subnet points to the NAT Gateway in the public subnet

Case 2: Two public subnets, two private subnets, one NAT Gateway

  • The NAT Gateway goes into one public subnet (Public-Subnet-A)
  • The EC2 instances are launched in private subnets across two AZs (Private-Subnet-A, Private-Subnet-B)
  • The Route Table for both of the private subnets point to the NAT Gateway

However, if there is a failure with Availability Zone A (rare, but can happen), then the NAT Gateway is not reachable from Private-Subnet-B. Thus, the system may be impacted even though it is running across two AZs.

Case 3: Two public subnets, two private subnets, two NAT Gateways

  • The NAT Gateway goes into both public subnets (Public-Subnet-A, Public-Subnet-B)
  • The EC2 instances are launched in private subnets across two AZs (Private-Subnet-A, Private-Subnet-B)
  • The Route Table Private-Subnet-A points to the NAT Gateway in Public-Subnet-A
  • The Route Table Private-Subnet-B points to the NAT Gateway in Public-Subnet-B

If one of the AZs were to fail, then the EC2 instances in the other private subnet will still be able to communicate with the Internet because they have their own NAT Gateway in the same AZ.

Selfcontrol answered 30/12, 2019 at 4:29 Comment(13)
I can't really relate your answer to the statement that I've mentioned. In short not possible to share single NAT Gateway with resources in multiple AZ isnt it?Curvy
@Curvy yes but no: it is possible to share a single NAT Gateway across as many AZs you want (case 2, above, references 2 AZs), within a region and within a single VPC in that region, but you will pay for cross-zone data transport and you lose resiliency in the unlikely event of an outage impacting the AZ where the NAT-GW is provisioned... and the NAT Gateway is always located in a single AZ.Racehorse
@Curvy It's not so much that a NAT Gateway is "shared". Rather, you can configure the Route Tables on subnets from multiple AZs to point to the same NAT Gateway. That way, resources in both AZs use the same NAT Gateway.Selfcontrol
In short, It's not correct to have a single NAT Gateway for multiple AZ if you are really looking for high availability ( Most of the applications have some of the instances in private subnet so it will a failure.) Case 2 should be ruled out. Thanks @JohnRotensteinIronhanded
Option 2 will also lead to cross AZ bandwidth charges. This may cost more than running 2 NAT Gateways in there respective AZs. aws.amazon.com/premiumsupport/knowledge-center/…Nesline
For case 3, would we also need two private route tables?Tymon
@Tymon Yes, Case 3 describes the need for two separate Route Tables -- one for each Private Subnet since they will point to their 'own' NAT Gateway.Selfcontrol
@JohnRotenstein Thank you! I was missing that simple logic. Another question, is there a reason why people associate the main route table as their private? Is there any security risk for doing the opposite?Tymon
@Tymon You can use the Main Route Table for any purpose (eg the opposite). It's probably a good 'default' to treat it as a Private route table so that any new subnets default to being private unless explicitly configured to be public -- this is safer from a Security standpoint.Selfcontrol
@JohnRotenstein understood, thank you for your time.Tymon
@Nesline great point, consider running separate NAT gateway for each AZ (subnet) when: 1. If you want High Availability 2. If the cost of cross zone traffic through the shared NAT gateway becomes higher than just running a dedicated NAT gateway (it's not common, but possible). All in all, it should be generally cheaper to run single NAT considering previous 2 points.Harkey
Hi @ShinebayarG, Does this news aws.amazon.com/about-aws/whats-new/2022/04/… affect this ? Or there will still be some chargesPredispose
@Predispose looks like that is not related to AWS NAT Gateway. Only for bunch of VPN stuff.Harkey

© 2022 - 2024 — McMap. All rights reserved.