Ensure that your AWS VPC network(s) use the highly available Managed NAT Gateway service instead of an NAT instance in order to enable EC2 instances sitting in a private subnet to connect to the internet or with other AWS components.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
AWS provides two types of NAT devices: a managed NAT gateway and a NAT instance instantiated from a public AMI. Using the AWS VPC Managed NAT Gateway service instead of an NAT instance to forward traffic for your instances available in a private subnet has multiple advantages. For example, the Managed NAT Gateway provides built-in redundancy for high availability (using the multi-AZ configuration) compared to the NAT instance which use just a script to manage failover, Managed NAT Gateway provides better bandwidth (traffic bursts up to 10Gbps) than the NAT instance which is limited to the bandwidth allocated for the EC2 instance type used. Lastly, the Managed NAT Gateway service is using optimized software to handle NAT traffic and is fully managed by AWS compared to the NAT instance which is not optimized and requires scaling and regular maintenance such as installing software updates or patches.
To determine if your VPC network(s) use a Managed NAT Gateway as a NAT device, perform the following:
To enable the Managed NAT Gateway service for your AWS VPC network(s), perform the following: