NAT Gateway Architecture: Shared vs. Per-Availability Zone Configuration

Learning Objectives

After studying this guide, you will be able to:

• Differentiate between Shared NAT Gateway and Multi-AZ NAT Gateway architectures.
• Configure route tables to direct private subnet traffic to the appropriate NAT gateway.
• Evaluate the trade-offs between cost and high availability (HA) in network design.
• Understand the fundamental differences between managed NAT Gateways and legacy NAT Instances.

Key Terms & Glossary

• NAT (Network Address Translation): A method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit.
• NAT Gateway: A highly available, managed AWS service that allows instances in a private subnet to connect to services outside your VPC but prevents external services from initiating a connection with those instances.
• EIP (Elastic IP): A static, IPv4 address designed for dynamic cloud computing, required for every NAT Gateway.
• Public Subnet: A subnet that has a direct route to an Internet Gateway (IGW).
• Private Subnet: A subnet that does not have a direct route to the Internet Gateway; typically uses a NAT Gateway for outbound-only access.

The "Big Idea"

The core mission of a NAT Gateway is to provide a secure, one-way exit for private resources. Imagine a corporate office where employees can call out to customers, but customers cannot dial directly into an employee's desk. In AWS, this ensures that your databases and backend servers can download security patches and updates without being exposed to the public internet. Choosing between a shared or per-AZ NAT Gateway is the classic architectural balance between saving money and ensuring survival during a data center failure.

Formula / Concept Box

Hierarchical Outline

• I. NAT Gateway Fundamentals
  • Managed Service: AWS handles scaling and software updates.
  • Placement: Must reside in a Public Subnet.
  • Connectivity: Requires an Elastic IP (EIP) upon creation.
• II. Deployment Strategies
  • Shared NAT Gateway (Cost Optimized)
    • Single gateway in one AZ serves the entire VPC.
    • Risk: If that AZ fails, all private subnets lose internet access.
  • NAT Gateway per AZ (Availability Optimized)
    • Each AZ has its own gateway in its own public subnet.
    • Benefit: Failure of one AZ does not impact connectivity in others.
• III. Routing Logic
  • Private Route Table: Destination 0.0.0.0/0 → Target nat-id.
  • Public Route Table: Destination 0.0.0.0/0 → Target igw-id.

Visual Anchors

Traffic Flow Logic

High Availability Multi-AZ Design

\begin{tikzpicture}[node distance=2cm, box/.style={draw, minimum width=3cm, minimum height=1.5cm, align=center}] \draw[dashed] (0,0) rectangle (10,5) node[pos=0.9, above] {VPC (Region)}; \draw[fill=blue!10] (0.5,0.5) rectangle (4.5,4) node[pos=0.5, below=1.2cm] {Availability Zone A}; \draw[fill=green!10] (5.5,0.5) rectangle (9.5,4) node[pos=0.5, below=1.2cm] {Availability Zone B}; \node[box, fill=white] (nat1) at (2.5,3) {NAT Gateway A}; \node[box, fill=white] (nat2) at (7.5,3) {NAT Gateway B}; \node[box, fill=gray!20] (ec2a) at (2.5,1.2) {Private Instance A}; \node[box, fill=gray!20] (ec2b) at (7.5,1.2) {Private Instance B}; \draw[->, thick] (ec2a) -- (nat1); \draw[->, thick] (ec2b) -- (nat2); \node (igw) at (5,6) {Internet Gateway}; \draw[->, thick] (nat1) .. controls (2.5,5) .. (igw); \draw[->, thick] (nat2) .. controls (7.5,5) .. (igw); \end{tikzpicture}

Definition-Example Pairs

• Shared NAT Gateway: A single NAT resource used by all subnets in a VPC.
  • Example: A startup with a limited budget places one NAT Gateway in AZ-1. Instances in AZ-1 and AZ-2 both point to it. This saves ~$32/month but means if AZ-1 goes down, AZ-2 loses internet.
• AZ-Independent Routing: Configuring a route table such that traffic stays within the same AZ for its NAT gateway.
  • Example: A banking application creates NAT-A in Subnet-A and NAT-B in Subnet-B. Private Subnet A uses NAT-A; Private Subnet B uses NAT-B. This ensures 99.99% availability and minimizes cross-AZ data transfer fees.

Worked Examples

Problem: Configuring a Shared NAT Gateway

Scenario: You have a VPC with two Availability Zones (us-east-1a and us-east-1b). You want to minimize costs while allowing your private instances in both zones to access the internet.

Step-by-Step Solution:

1. Create NAT Gateway: Navigate to the VPC Console, select "NAT Gateways," and create one in the Public Subnet of us-east-1a.
2. Allocate EIP: Associate a new Elastic IP during the creation process.
3. Update Route Table A: Select the route table for the private subnet in us-east-1a. Add a route: 0.0.0.0/0 → nat-0123456789.
4. Update Route Table B: Select the route table for the private subnet in us-east-1b. Add a route: 0.0.0.0/0 → nat-0123456789 (the same ID).
5. Verification: Log into an instance in us-east-1b and run curl google.com. The traffic travels cross-AZ to the gateway in 1a and out to the internet.

Checkpoint Questions

1. Where must a NAT Gateway be located to function correctly?
   • Answer: It must be located in a Public Subnet with a route to an Internet Gateway.
2. Why can you not apply a Security Group to a NAT Gateway?
   • Answer: NAT Gateways do not use Elastic Network Interfaces (ENIs) in the traditional sense for management; you must use Network Access Control Lists (NACLs) at the subnet level to control traffic instead.
3. What is the primary disadvantage of using a single NAT Gateway for multiple Availability Zones?
   • Answer: It creates a Single Point of Failure (SPOF). If the AZ hosting the NAT Gateway goes down, all other AZs lose internet connectivity.
4. How much bandwidth can a managed NAT Gateway handle?
   • Answer: It scales automatically up to 50 Gbps.