NAT Gateway

Question 1

NAT Instances

NAT Instance or NAT Gateway?

Answer 1

NAT Gateway always, unless you have a specific reason

Question 2

NAT Instances

Why never use NAT Instances?

Answer 2

Old version of Amazon Linux; not specialized for high throughput networking

Question 3

NAT Instances

How do you control what traffic can use a NAT Instance?

Answer 3

Security Groups and NACLs, just like anything else

Question 4

NAT Instances

How can you use a NAT Instance to throttle performance?

Answer 4

Deliberately pick small instance size

Question 5

NAT Instances

Are NAT Instances HA?

Answer 5

Not by default

Question 6

NAT Instances

How can you make a NAT Instance HA?

important

Answer 6

Scripts that monitor instances and change routes when one fails

Question 7

NAT Instances

How can you save money with a NAT Instance?

important

Answer 7

Use it for port forwarding and as a bastion host

Question 8

NAT Instances

Can you use a NAT Instance across VPC Peers?

Answer 8

Yes, it’s just an EC2 instance

Question 9

NAT Instances

Can you use a NAT Instance across S2S VPN?

Answer 9

Yes, it’s just an EC2 instance

Question 10

NAT Instances

Can you use a NAT Instance across Direct Connect?

Answer 10

Yes, it’s just an EC2 instance

Question 11

NAT Gateway

What’s the cross-AZ best practice for NATGW?

Answer 11

Use separate NATGW in each AZ

Question 12

NAT Gateway

Why is this the best practice?

Answer 12

If AZ fails, other AZs aren’t affected

Question 13

NAT Gateway

What’s the cost implication?

Answer 13

Multi-AZ NATGW means inter-AZ traffic charges.

Question 14

NAT Gateway

How do I set up a NAT Gateway in my application’s subnet?

Answer 14

Can’t. NATGW need route table entries to direct traffic to it, so has to be separate Subnets.

Question 15

NAT Gateway

What is the tiering/subnet rule when you add NAT Gateways?

Answer 15

Can’t have a NAT Gateway in the same subnet as a thing that uses it: need routing between subnets

Question 16

NAT Gateway

Limit on NAT GW throughput?

important

Answer 16

Up to 45 Gbps

Question 17

NAT Gateway

What do you do if you need more than 45 Gbps through a NAT GW?

important

Answer 17

Add more NAT GWs and more routes

Question 18

NAT Gateway

How do you change IP addresses used by NAT GWs?

important

Answer 18

Absolutely can’t: create a new NATGW.

Question 19

NAT Gateway

Can you use a NATGW across VPC Peers?

Answer 19

No

Question 20

NAT Gateway

Can you use a NATGW across S2S VPN?

Answer 20

No

Question 21

NAT Gateway

Can you use a NATGW across Direct Connect?

Answer 21

No

Question 22

NAT Gateway

Access S3: cheaper with NATGW or gateway endpoint?

important

Answer 22

Gateway endpoint (free)

Question 23

NAT Gateway

How do you control what traffic can use a NATGW?

important

Answer 23

NACLs (can use SG on private subnets)

Question 24

NAT Gateway

Can you use Security Groups to secure a NAT GW?

important

Answer 24

No, not on the NAT GW itself