CODEWITHSUNDEEP
amazon-web-servicesamazon-vpc
zdenko.s
zdenko.s

Reputation: 1032

AWS: Share "NAT Gateway" among VPCs

I have one VPC where i configured NAT Gateway. Another VPC(s) do not have any "public subnet" nor IGW. I would like to share single NAT Gateway among many VPCs. I tried to configure Routing table but it does not allow to specify NAT Gateway from different VPC. As posible solution, I installed http/s proxy in VPC with IGW and configured proxy settings on every instance in different VPC. It worked, but I would like use NAT Gateway due to easier management. Is it possible to make this kind of configuration at AWS? There are few VPCs and I do not want to add NAT Gateway to each VPC.

Zdenko

Upvotes: 3

Views: 10476

Answers (4)

Michael - sqlbot
Michael - sqlbot

Reputation: 179084

You can't share a NAT Gateway among multiple VPCs.

To access a resource in another VPC without crossing over the Internet and back requires VPC peering or another type of VPC-to-VPC VPN, and these arrangements do not allow transit traffic, for very good reasons. Hence:

You can't route traffic to a NAT gateway through a VPC peering connection. You can't route traffic through a NAT Gateway when traffic arrives over a hybrid connection (Site to Site VPN or Direct Connect) through a Virtual Private Gateway. You can route traffic through a NAT Gateway when traffic arrives over a hybrid connection (Site to Site VPN or Direct Connect) through a transit gateway.

https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-basics.html

The instances in the originating VPC are, by definition, "on the other side of" one of the listed interconnection arrangements.

Upvotes: 8

uylmz
uylmz

Reputation: 1552

It may be a bit complicated to setup but running an OpenVPN server in the VPC with the IGW and connecting instances in the VPC without IGW to the vpn server might be a solution.

Upvotes: 0

Martijn Rutten
Martijn Rutten

Reputation: 781

You basically have 3 options

  • connect to a shared VPC (typically in a shared "network" account) that holds the NAT via VPC peering. No additional costs for the VPC peering, but cumbersome to setup if you have a lot of accounts
  • same, but using Transit Gateway. A Peering Attachment is almost the same cost as a single NAT, so this will only save costs if you use multiple NAT gateways to have a high bandwidth
  • Setup a shared VPC (e.g. in an infrastructure account that holds the NAT. Then share private subnets via AWS resource manager (RAM) to the VPCs that need outgoing access. This has the additional benefit you have a single place where you allocate VPC IP ranges and not every account needs to bother with setting up the full VPC. More details in AWS VPC sharing best practices. This setup avoids both the Transit Gateway costs and the burden of setting up VPC peering. But needs more careful planning to keep things isolated (and likely not everything in the same VPC)

Upvotes: 4

Erica Kane
Erica Kane

Reputation: 3352

AWS Transit Gateway now provides an option to do what you wish, although you will want to consider the costs involved -- there are hourly and data charges. There is a reference architecture published in which multiple VPCs share a NAT gateway without allowing traffic between the VPCs:

https://aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-exit-point-from-multiple-vpcs-using-aws-transit-gateway/

Upvotes: 5

Related Questions