NATs
The Data Landing Zone offers support for creating Gateway and Instance Network Address Translators (NATs) within a VPC. To create a NAT, specify the following parameters:
location
: The Subnet Network Address that defines where the NAT will be deployed.allowAccessFrom
: The Route Table Network Address specifies what should route traffic through the NAT.type
: The type of NAT (Gateway or Instance), including any additional properties needed for the selected NAT type. For example, theinstanceType
for NAT instances.
The following example configures:
- One account named
development
with two VPCs: one in theeu-west-1
region and the other in theus-east-1
region. - One NAT Gateway in the
eu-west-1
region public subnet of the development account, routing all outbound private subnet traffic through it. - One NAT Instance in the
us-east-1
region public subnet of the development account, routing all outbound private subnet traffic through it.
Each NAT configuration includes the following:
- A single Internet Gateway
- A NAT Gateway or Instance
- Routes in the route table of the NATs pointing all outbound traffic (
0.0.0.0/0
) to the Internet Gateway - Routes in the route table of all the
from
addresses, pointing all outbound traffic (0.0.0.0/0
) to the NAT Gateway or Instance.
Configuration examples
Single NAT Gateway in the public subnet
The default VPC includes two Route Tables, one private and one public, as defined by the Defaults.vpcClassB3Private3Public
function. In the configuration below, the NAT is placed in the public-1
subnet, and the private
route table is set to
route all outbound traffic through the NAT.
NAT Gateway per AZ
Since the Default VPC function creates a single public and private route table we can not make use of it. This example configures the VPC with separate route tables for each Availability Zone (AZ). This ensures that the NAT in each public subnet AZ can route traffic from the private subnets within the same AZ.
This setup ensures no traffic leaves the AZ, creating a Highly Available and Resilient architecture.