Is there a way to use a NAT instance instead of NAT gateway as egress in the kubernetes cluster on aws for private subnets?

Question

I created a kubernetes cluster using Kops on aws in private subnet. When using NAT gateway as a point of egress in the cluster, everything just works fine. But when i try to deploy a NAT instance as a point of egress in my cluster, it does not work. I cannot figure out a way to use nat instance as egress in my cluster nor able to figure the issue. Any guidance or tutorial that can help in this case is most welcome.

Answer 1

A few gotchas that are easy to miss:

• The NAT instance needs to be deployed into a public subnet (i.e. one with an internet gateway attached and a route out through that internet gateway).
• The NAT instance needs the Source/Destination check disabled (in the AWS console, you can get to this via Actions -> Networking -> Change Source/Dest. Check).
• The private subnet's routing table needs a route to the NAT instance (presumably for 0.0.0.0/0 but you could scope it narrower if you need less).

See the AWS NAT Instance docs, or this AWS tutorial on NAT with public/private subnets, for more details.

My understanding is that NAT instances are potentially a scalability bottleneck, so if you have a lot of outgoing traffic you may ultimately need to move back to a NAT gateway, upgrade the NAT instance, or do some fancier things with a group of NAT instances.