Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS best practice: shall I have a NAT gateway in each AZ?

Since NAT gateway only have redundancy within a single AZ, if I want to have a public/private pair of subnets in every AZ for the purpose of multi-AZ redundancy, I should have a NAT gateway in every AZ, shouldn't I?

Otherwise, if I have only one NAT, if the AZ goes down, all the subnets in all AZs go down with it, thus defeating the purpose of this multi-AZ deployment.

Am I right or wrong?

like image 643
Silly Dude Avatar asked Jun 23 '17 11:06

Silly Dude


People also ask

Do I need NAT gateway in each AZ?

Ensure that your NAT gateways are deployed in at least two Availability Zones (AZs) in order to enable EC2 instances available within private subnets to connect to the Internet or to other AWS services but prevent the Internet from initiating a connection with those instances.

Can NAT gateway be in multiple AZ?

The public IP address or prefix configured to NAT gateway must match the same zone. NAT gateway resources with public IP addresses from a different zone, zone-redundancy or with no zone aren't allowed.

Do I need more than one NAT gateway?

You only need a NAT Gateway if your Lambda function will be accessing the internet. Assuming that you do need a NAT, you can just use one NAT Gateway for all your private subnets. All your public subnets must route to an Internet Gateway for non-local addresses. This is what makes the subnet public.

Do you need a NAT gateway for each subnet?

A NAT Gateway is an AWS service that allows a private subnet to have access to the Internet, but prevents the Internet from initiating a connection directly to the instances. While the NAT Gateway is needed for private subnets to have Internet access, it is created in a public subnet.


1 Answers

Yes, ideally you would have one NAT gateway per Availability Zone (AZ).

AWS documents this advice at Comparison of NAT Instances and NAT Gateways:

Highly available: NAT gateways in each Availability Zone are implemented with redundancy. Create a NAT gateway in each Availability Zone to ensure zone-independent architecture.

A single NAT gateway in a single AZ has redundancy within that AZ only, so if there were zonal issues then instances in other AZs would have no route to the internet.

Note: there are per hour charges for each NAT gateway as well as per GB data processed (see VPC Pricing). See How can I reduce data transfer charges for my NAT gateway?

like image 172
jarmod Avatar answered Oct 12 '22 10:10

jarmod