Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Network Address Translation (NAT)

  1. Home
  3. AWS Certified SysOps Administrator – Associate (SOA-C01)
  5. Network Address Translation (NAT)
  • NAT Gateway requires an Elastic IP
  •  NAT Instances
    • Created using public AMIs
    • Disable Source / Destination check on the instance
    • Must be in public subnet
  • private subnets cannot talk to internet
  • NAT  Instance
    • create SG for NAT outbound
    • launch NAT AMI (linux)
    • Disable source/destination  check
    • configure route table of private subnet to direct internet traffic to the NAT instance
    • Allocate EIP and assign to NAT instance
    • When creating a NAT instance, disable Source/Destination checks on the instance or you could encounter issues
    • NAT instances must be in a public subnet
    • There must be a route out of the private subnet to the NAT instance in order for it to work
    • The amount of traffic that NAT instances support depend on the size of the NAT instance. If bottlenecked, increase the instance size
    • If you are experiencing any sort of bottleneck issues with a NAT instance, then increase the instance size
    • HA can be achieved by using Auto-scaling groups, or multiple subnets in different AZ’s with a scripted fail-over procedure
    • NAT instances are always behind a security group
  • NAT Gateway (Preferred)
    • simpler
    • HA
    • configure route table of private subnet to direct Internet  traffic to NAT gateway
    • Allocate EIP and assign to NAT gateway
    • NAT Gateways scale automatically up to 10Gbps
    • There is no need to patch NAT gateways as the AMI is handled by AWS
    • NAT gateways are automatically assigned a public IP address
    • When a new NAT gateway has been created, remember to update your route table
    • No need to assign a security group, NAT gateways are not associated with security groups
    • Preferred in the Enterprise
    • No need to disable Source/Destination checks
    • More secure than a NAT instance
  • Virtual Private Gateways (VPG) Customer Gateway (CGW) Virtual Private networks (VPN)
    • Create VPG
    • Create CGW
    • Create VPN
    • customer must initiate traffic to bring tunnel up. Customer should use keep alive on their side
    • CGW supports BGP ( Dynamic and static )
    • Supports man CGW to one VPG
    • VPN has two tunnels for HA
Menu