VPC - Network Address Translation (NAT) Flashcards
To allow private instances to access the internet…
…use a NAT instance or a NAT gateway and allow a route out from the private route table > NAT > Internet.
To launch a NAT instance…
…search “nat” in the Community AMIs
After NAT instance is launched…
…disable Source/Dest check
In which subnet should the NAT instance or NAT gateway be deployed?
Public subnet
Is a security group required for a NAT instance?
Yes
Is a security group required for a NAT gateway?
No
What happens when you create a NAT gateway?
You create an Elastic IP since it is required to create one or use an existing one. In addition, a message pops up that explains that you need to edit your main route table to include a route with a target = NAT gatway.
What is meant by Source/Dest check?
By default, EC2 instances are either the source or destination of any traffic, and traffic does not go through an EC2 instance.
What happens if the NAT instance goes down, or its availability zone goes down?
The NAT instance is a single point of failure, so you will lose any internet access to everything in the private subnet.
To prevent a NAT instance from going down…
…set it behind an Auto Scaling group, set min number = 1, or use multiple public subnets and deploy NAT instances in each
With NAT gateways, do you need Auto Scaling?
No
When a NAT instance’s bandwidth is used up (bottlenecked), what do you do?
Increase the instance size, change instance family so you can support more traffic
T/F: When you deploy a NAT instance, you must assign a public IP address.
True
To create high availability with NAT instances…
…use Auto Scaling Groups, multiple subnets in different AZs, and a script to automate failover.
