Ensure that your NAT gateways are deployed in at least two Availability Zones (AZs) in order to enable EC2 instances available within private subnets to connect to the Internet or to other AWS services but prevent the Internet from initiating a connection with those instances. AWS Availability Zones are distinct locations that are engineered to be isolated from failures occurred in other zones. Each NAT gateway must be deployed within a specific Availability Zone to receive the redundancy implemented in that zone.
If you have EC2 instances in multiple Availability Zones and these share one NAT gateway, in the event of AZ failure the NAT gateway becomes unavailable and the resources within other Availability Zones lose internet access. To create a fault-tolerant architecture, make sure that your AWS NAT gateways are deployed in at least two Availability Zones (AZs).
To determine if your Amazon NAT gateways were deployed in at least two Availability Zones, perform the following:
Remediation / Resolution
To deploy your NAT gateways in at least two Availability Zones (AZs), perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Create NAT Gateways in at Least Two Availability Zones
Risk level: Medium