NAT Gateway vs NAT Instances

Some around the web readings on NAT Gateway vs NAT Instances.

o NAT Instance – old one; NAT Gateway is relatively new, introduced in 2016
o http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html
o NAT Instance is an EC2 instance

•  Create an EC2 instance and put it behind default web SG, launch instance.
•  Create a Route out to the internet from NAT Instance for the go ahead and disable “Source & Destination Check”
• Attach the instance to the Private Security Group / Default one, go and edit the Route Table of the Main Route Table to allow internet – 0.0.0.0/0 to the newly created NAT Instance and select the NAT Instance Id (not IGW).

o NAT Gateway

• NAT Gateway is service which AWS takes care of scaling up, scaling down under lying resources based on the need 
• Most customers always use NAT Gateway in Production as Failover is taken care internally

NAT Instances

• When creating a NAT instance, Disable Source / Destination check on the instance
• NAT instance must be in a public subnet
• There must be a route out of the private subnet to the NAT instance, in order for this to work
• The amount of traffic that NAT instances supports, depends on the instance size. If you are bottlenecking, increase the instance size
• You can create high availability using AutoScaling Groups, multiple subnets in different AZ’s and a script to automate failover. This is extremely painful but can be done. Customers always complain about this pain point and hence the NAT Gateways were created.
• NAT Instances are always behind a SG.

NAT Gateways

• Relatively new service
• Preferred by the enterprise
• Scale automatically upto 10 Gbps
• No need to patch
• Not associated with SGs
• Automatically assigned with public IP
• Remember to update your route tables
• No need to disable Source / Destination checks.