AWS VPCs do not require multiple NATs unless the marginal gains from cross-AZ resiliency are worth the increased cost and maintence burden. In such cases, it may be better to consider multi-region solutions for more effective failover.
AWS Virtual Private Clouds (VPCs) offer various networking options to manage communication between the VPC and the broader internet. The two primary options are an Internet Gateway and a Network Address Translation (NAT) service.
The Internet Gateway facilitates direct communication with the internet using a publicly accessible unique IP address assigned to each resource. Conversely, a NAT service connects to an Internet Gateway but provides a single outbound communication channel for all attached subnets. Therefore all outgoing connections from your attached subnets are routed through the NAT, which has a known public IP address. This communication method works for outbound and responding traffic but never inbound traffic, protecting your resources from externally initiated communications.
This arrangement allows internal machines in your VPC to initiate outbound connections to the internet while preventing inbound connections from identifying individual resources within the VPC.
As the NAT becomes critical infrastructure for all outbound and responding internet traffic it is common practice to deploy a NAT in each utilised Availability Zone (AZ). Unlike VPCs that have single NAT resources this provides a fallback to other Availability Zones should the single NAT become unavailable. However, this can become unecessary in environments that do not need this additional uptime and does not protect against total region outages or against outages that affect multiple Availability Zones.
Rather than provisioning NATs across all utilised Availability Zones, you can effectively use a single NAT service for an entire VPC. This can be accomplished by configuring the route tables for the subnets to direct traffic to the same single NAT. This approach offers significant cost savings since each NAT resource incurs the same cost whilst additional NATs only provide marginal gains in availability.
In our experience, AWS regions commonly experience failures at the regional level instead of within individual Availability Zones. As a result, for non-critical production environments, it may be more economical to forgo the marginal availability boost that comes from using multiple NATs and rely instead on a single NAT.
Additionally, using one NAT per region allows for simplified network management, as with a single NAT resource all outbound communications from attached subnets share the same external IP address and the same Route Table.
For environments with high-availability requirements it may still be best to utilise multiple NATs in each Availability Zone while exploring a cross-region strategy. A cross-region strategy would provide far better resiliency than provisioning for the limited benefits provided by multiple NATs within a single region.
If additional uptime is not essential for your NAT service, it may be advantageous to decommission the redundant NATs and configure your route tables in that region to direct traffic to the remaining single NAT. In this configuration, if there were to be network connectivity issues in a specific Availability Zone hosting your NAT, your VPC would experience limited outbound internet access for resources within that region. However, external inbound requests via Load Balancers and other external services might not be affected.
Therefore, it’s important to analyse the current architecture and any Service Level Agreements (SLAs) that are in place for hosted services to determine a suitable cost-effective environment. To get visibility as to your outbound network connections and where you can make cost and maintenance savings book in a SkySiege Cloud Assessment with included consultation:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
