Logo of Trend Micro

Managed NAT Gateway In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: VPC-003

Ensure that your AWS VPC network(s) use the highly available Managed NAT Gateway service instead of an NAT instance in order to enable EC2 instances sitting in a private subnet to connect to the internet or with other AWS components.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Performance
efficiency

AWS provides two types of NAT devices: a managed NAT gateway and a NAT instance instantiated from a public AMI. Using the AWS VPC Managed NAT Gateway service instead of an NAT instance to forward traffic for your instances available in a private subnet has multiple advantages. For example, the Managed NAT Gateway provides built-in redundancy for high availability (using the multi-AZ configuration) compared to the NAT instance which use just a script to manage failover, Managed NAT Gateway provides better bandwidth (traffic bursts up to 10Gbps) than the NAT instance which is limited to the bandwidth allocated for the EC2 instance type used. Lastly, the Managed NAT Gateway service is using optimized software to handle NAT traffic and is fully managed by AWS compared to the NAT instance which is not optimized and requires scaling and regular maintenance such as installing software updates or patches.

Audit

To determine if your VPC network(s) use a Managed NAT Gateway as a NAT device, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Under Filter by VPC:

Under Filter by VPC select the VPC that you want to examine

select the VPC that you want to examine.

04 In the left navigation panel, under Virtual Private Cloud section, click NAT Gateways.

05 And search for any managed NAT gateways available. If there is no NAT gateway created for the selected VPC, the dashboard will display the following message: “You do not have any NAT gateways in this region.”.

06 Repeat step no. 3, 4 and 5 for each VPC network available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) to list the VPCs available in the selected region and their IDs: 

aws ec2 describe-vpcs
	--region us-east-1
	--query 'Vpcs[*].VpcId'

02 The command output should return the ID for each VPC available in the US East region: 

[
    "vpc-fb03eb9c",
    "vpc-f7ac5792"
]

03 Run describe-nat-gateways command (OSX/Linux/UNIX) using each VPC ID to list any NAT Gateway devices currently in use for the selected VPC: 

aws ec2 describe-nat-gateways
	--region us-east-1
	--filter "Name=vpc-id,Values=vpc-f7ac5792" "Name=state,Values=available"

04 The command output should return each NAT gateway available and its metadata. If the NatGateways object list is empty, there is no NAT gateway in use for the selected VPC: 

{
    "NatGateways": []
}

05 Repeat step no. 3 for each VPC network available in the current region. Change the AWS region to repeat the process for other regions.

Remediation / Resolution

To enable the Managed NAT Gateway service for your AWS VPC network(s), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Under Filter by VPC:

Under Filter by VPC select the VPC that you want to examine

select the VPC that you want to examine.

04 In the left navigation panel, under Virtual Private Cloud section, click NAT Gateways.

05 Click Create NAT Gateway button from the dashboard top menu.

06 In the Create a NAT Gateway dialog box, perform the following:

  1. In the Subnet* field select the public subnet in which to create the managed NAT gateway. If you need to replace your existing NAT instance with this NAT gateway, make sure you choose the same subnet and replace the necessary entry in the route table with a new entry that points to this NAT gateway.
  2. In the Elastic IP Allocation ID* field select an existing Elastic IP address or create a new one by clicking the Create New EIP button.

07 Review the details and click Create a NAT Gateway button. The following confirmation message will be displayed: “Your NAT gateway has been created.”

08 In the left navigation panel, under Virtual Private Cloud section, click Route Tables.

09 Select the VPC main route table associated with the private subnet.

10 Select the Routes tab from the bottom panel and click the Edit button to update the route table.

11 Click Add another route and enter 0.0.0.0/0 in the Destination field and select the ID of the newly created gateway in the Target field. To replace your existing NAT instance with the new NAT gateway, make sure you remove first the NAT instance entry from the route table by clicking the x button.

12 Click Save to apply the new routing configuration.

Using AWS CLI

01 Run allocate-address command (OSX/Linux/UNIX) to create a new Elastic IP (EIP) in the selected AWS region: 

aws ec2 allocate-address
	--region us-east-1
	--domain vpc

02 The command output should return the metadata for the new EIP: 

{
    "PublicIp": "52.70.33.211",
    "Domain": "vpc",
    "AllocationId": "eipalloc-66ee7b00"
}

03 Run describe-vpcs command (OSX/Linux/UNIX) to list the VPC network(s) ID(s) available in the selected region: 

aws ec2 describe-vpcs
	--region us-east-1
	--query 'Vpcs[*].VpcId'

04 The command output should return the ID for each VPC network: 

[
    "vpc-fb03eb9c",
    "vpc-f7ac5792"
]

05 Now that we have the necessary VPC ID run describe-subnets command (OSX/Linux/UNIX) to list the subnets (public and private) available within the VPC: 

aws ec2 describe-subnets
	--region us-east-1
	--filters "Name=vpc-id,Values=vpc-fb03eb9c"

06 The command output should return the metadata for each subnet in use:

{
    "Subnets": [
        {
            "VpcId": "vpc-fb03eb9c",
            "Tags": [
                {
                    "Value": "Public subnet",
                    "Key": "Name"
                }
            ],
            "CidrBlock": "10.0.0.0/24",
            "MapPublicIpOnLaunch": false,
            "DefaultForAz": false,
            "State": "available",
            "AvailabilityZone": "us-east-1a",
            "SubnetId": "subnet-5240de78",
            "AvailableIpAddressCount": 251
        },
        {
            "VpcId": "vpc-fb03eb9c",
            "Tags": [
                {
                    "Value": "Private subnet",
                    "Key": "Name"
                }
            ],
            "CidrBlock": "10.0.1.0/24",
            "MapPublicIpOnLaunch": false,
            "DefaultForAz": false,
            "State": "available",
            "AvailabilityZone": "us-east-1b",
            "SubnetId": "subnet-4d0e463b",
            "AvailableIpAddressCount": 251
        }
    ]
}

07 Run create-nat-gateway command (OSX/Linux/UNIX) to create the new managed NAT gateway in the specified public subnet, using the Elastic IP created earlier: 

aws aws ec2 create-nat-gateway
	--region us-east-1
	--subnet-id subnet-5240de78
	--allocation-id eipalloc-66ee7b00

08 The command output should return the NAT gateway metadata: 

{
    "NatGateway": {
        "NatGatewayAddresses": [
            {
                "AllocationId": "eipalloc-66ee7b00"
            }
        ],
        "VpcId": "vpc-fb03eb9c",
        "State": "pending",
        "NatGatewayId": "nat-0c94de01c18e08435",
        "SubnetId": "subnet-5240de78",
        "CreateTime": "2016-04-26T16:19:31.050Z"
    }
}

09 Lastly, run create-route command (OSX/Linux/UNIX) to create a route entry for the newly created NAT gateway in the VPC main route table associated with the private subnet: 

aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-7a503d1d
	--destination-cidr-block 0.0.0.0/0
	--nat-gateway-id nat-0c94de01c18e08435

10 If successful, the command output should return true: 

{
    "Return": true
}

11 (Optional) To replace an existing NAT instance with the new NAT gateway, replace the NAT instance route with the specified NAT gateway route. Run replace-route command (OSX/Linux/UNIX) to replace the route entry with the specified destination CIDR (0.0.0.0/0 in this case): 

aws ec2 replace-route
	--region us-east-1
	--route-table-id rtb-7a503d1d
	--destination-cidr-block r0.0.0.0/0
	--nat-gateway-id rnat-0c94de01c18e08435

References

Publication date Apr 27, 2016

Related VPC rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Managed NAT Gateway In Use

Risk level: Medium