NAT Instance vs NAT Gateway - AWS Solutions Arch exam notes
NAT - Network Access Translation
normally used to allow private subnets to have internet access
NAT Instances - EC2 instance
This solution is not optimal, might be “bottle-neck” if multiple EC2 instance are using this NAT Instance
- This instance should be created in “public subet”
- Follow “launch instance” wizard
- take into consideration: use community AMIs (search for NAT)
- once the instance is up an running there is one IMPORTANT thing that should be changed in the EC2 instance..
- Disable source/destination checks
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance. From AWS
- Disable source/destination checks
- to allow private EC2 to communitace with this NAT instance a ROUTE TABLE must be configured
- select “main” Route table, this is where private subnet is associated.
- added route from 0.0.0.0/0 to instance (eni-)
Tips
- NAT Instances always behind a Security Group
- If you are bottlenecking, increase the instance size
- You can AutoScale instances to be highly available - not optimal
- change source/destination checks
NAT Gateways
- highly available
- redundant inside AZ
- it scales automatillay : starts 5Gbps up to 45Gbps
- No need to path
- No SG
- Automatically assigned public IP Address
- IMPORTANT - update route table
- Create NAT Gateway in each AZ and configure your routing to ensure your resources use the NAT Gateway in the same AZ.
For later
- EIP - elastic IP Adress