Ensure that your AWS VPC network(s) use the highly available Managed NAT Gateway service instead of an NAT instance in order to enable EC2 instances sitting in a private subnet to connect to the internet or with other AWS components.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
efficiency
AWS provides two types of NAT devices: a managed NAT gateway and a NAT instance instantiated from a public AMI. Using the AWS VPC Managed NAT Gateway service instead of an NAT instance to forward traffic for your instances available in a private subnet has multiple advantages. For example, the Managed NAT Gateway provides built-in redundancy for high availability (using the multi-AZ configuration) compared to the NAT instance which use just a script to manage failover, Managed NAT Gateway provides better bandwidth (traffic bursts up to 10Gbps) than the NAT instance which is limited to the bandwidth allocated for the EC2 instance type used. Lastly, the Managed NAT Gateway service is using optimized software to handle NAT traffic and is fully managed by AWS compared to the NAT instance which is not optimized and requires scaling and regular maintenance such as installing software updates or patches.
Audit
To determine if your VPC network(s) use a Managed NAT Gateway as a NAT device, perform the following:
Remediation / Resolution
To enable the Managed NAT Gateway service for your AWS VPC network(s), perform the following:
References
- AWS Documentation
- Amazon VPC FAQs
- What is Amazon VPC?
- NAT
- NAT Gateways
- NAT Instances
- Comparison of NAT Instances and NAT Gateways
- Scenario 2: VPC with Public and Private Subnets (NAT)
- AWS Command Line Interface (CLI) Documentation
- describe-vpcs
- describe-nat-gateways
- allocate-address
- describe-subnets
- create-nat-gateway
- create-route
- replace-route
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Managed NAT Gateway In Use
Risk level: Medium