Some around the web readings on NAT Gateway vs NAT Instances.
o NAT Instance – old one; NAT Gateway is relatively new, introduced in 2016
o http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html
o NAT Instance is an EC2 instance
o http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html
o NAT Instance is an EC2 instance
- Create an EC2 instance and put it behind default web SG, launch instance.
- Create a Route out to the internet from NAT Instance for the go ahead and disable “Source & Destination Check”
- Attach the instance to the Private Security Group / Default one, go and edit the Route Table of the Main Route Table to allow internet – 0.0.0.0/0 to the newly created NAT Instance and select the NAT Instance Id (not IGW).
- NAT Gateway is service which AWS takes care of scaling up, scaling down under lying resources based on the need
- Most customers always use NAT Gateway in Production as Failover is taken care internally
NAT Instances
- When creating a NAT instance, Disable Source / Destination check on the instance
- NAT instance must be in a public subnet
- There must be a route out of the private subnet to the NAT instance, in order for this to work
- The amount of traffic that NAT instances supports, depends on the instance size. If you are bottlenecking, increase the instance size
- You can create high availability using AutoScaling Groups, multiple subnets in different AZ’s and a script to automate failover. This is extremely painful but can be done. Customers always complain about this pain point and hence the NAT Gateways were created.
- NAT Instances are always behind a SG.
NAT Gateways
- Relatively new service
- Preferred by the enterprise
- Scale automatically upto 10 Gbps
- No need to patch
- Not associated with SGs
- Automatically assigned with public IP
- Remember to update your route tables
- No need to disable Source / Destination checks.