CloudInsidr

Cyber security, infotech

Join us on Twitter: @CloudInsidr

Follow us on Twitter: @cloudinsidr
Home cloud, edge and everything in between NAT as a Service: Amazon’s Managed VPC NAT Gateway for AWS and Why You Should Probably Take It for a Spin
NAT as a Service: Amazon’s Managed VPC NAT Gateway for AWS and Why You Should Probably Take It for a Spin

Leave a Comment

NAT as a Service: Amazon’s Managed VPC NAT Gateway for AWS and Why You Should Probably Take It for a Spin

Amazon’s shiny new managed VPC NAT Gateway on AWS (unveiled today) can be translated into plain English as NAT (Network address Translation) as a service. You might wonder who is going to need it if a VPC was just fine as of yesterday.

Managed NAT Gateway on AWS logo

If you are currently using NAT to connect your EC2 instances that are isolated inside a VPC to the outside world, then the answer is: you are. Even if your instances connect directly to the Internet, you might still be better off with the service than without it.

When using EC2, it is good practice to enclose your compute resources within a VPS (Amazon’s Virtual Private Cloud) to shield your instances from external access as much as possible. For administrative purposes and in order to be able to transfer data in and out, you would then use a virtual private gateway to connect the VPC via a Virtual Private Network (VPN) connection to your existing on-premise infrastructure. In the past, connecting isolated EC2 from within the VPC to the Internet required a minimum of two additional EC2 hosts to facilitate NAT (network address translation) with a failover. How this might look on paper in a deployment scenario that requires HA (high availability) illustrates the image below (source: Amazon).

Dual, active NAT instances on AWS with the possibility of Route takeover on NAT failure
Dual, active NAT instances on AWS with the possibility of Route takeover on NAT failure

„Instead of configuring, running, monitoring, and scaling a cluster of EC2 instances (you’d need at least 2 in order to ensure high availability), you can now create and configure a gateway with a couple of clicks“ writes Jeff Barr ( @jeffbarr) „The gateway has built-in redundancy for high availability. Each gateway that you create can handle up to 10 Gbps of bursty TCP, UDP, and ICMP traffic, and is managed by Amazon. You control the public IP address by assigning an Elastic IP Address when you create the gateway.“

This is a major step on Amazons part, as it opens up the possibility of using the service for much more than just NAT. Intrusion detection and DDoS mitigation are only two of many possible directions Amazon could take this in.

Currently, each managed gateway is assigned to one availability zone, which means that downtime is not entirely out of the question.

While true HA is not yet possible with the managed service, it’s clearly a start.

A breakdown of current prices is right here.

Leave a Reply

Your email address will not be published. Required fields are marked *

©2022 CybrAnalytiqa OÜ