68. Network Address Translation (NAT)

NAT instances are individual EC2 instances. NAT gateways are high available gateway spread across multiple AZs and allows to have private subnets communicate out to the internet w/o becoming public. NAT gateways are not dependent on a single instance.

Tips on NAT instances:
i) When creating a NAT instance, disable source/ destination check on the instance
ii) NAT instances must be in a public subnet
iii) There must be route out of the private subnet to the NAT instance, in order for this to work
iv) The amount of traffic that NAT instances can support depends on the instance size. If you are bottlenecking, increase the instance size.
v) We can create high availability using Autoscaling groups, multiple subnets in different AZs and a script to automate failover.
vi) Behind a Security Group

Tips on NAT Gateways:
i) Redundant inside the AZ
ii) Preferred by the enterprise
iii) Starts at 5Gbps and scales currently to 45Gbps
iv) No need to patch
v) Not associated with security groups
vi) Automatically assigned a public IP address
vii) Remember to update route tables
viii) No need to disable source/ destination checks
ix) If you have resources in multiple AZs and they share one NAT gateway, in the event that the NAT gateways AZ is down, resources in the other AZ lose internet access. To create an AZ independent architecture, create a NAT gateway in each AZ and configure your routing to ensure that resources use the NAT gateway in the same AZ.

Question 1:
As a Solutions Architect, you use AWS to host a database server within your company. This server should not be able to connect to the Internet unless you want to download the required database patches.
Choose an AWS service configuration that meets this requirement.
Option:
A. Build the DB in a public subnet and allow only inbound traffic with network ACLs
B. Build the DB in the public subnet and allow only inbound traffic in the security group
C. Build the DB in a private subnet and allow only outbound traffic in the security group
D. Build the DB in a private subnet and set the NAT instance in the route table
Answer: D
Explanation
To restrict internet access to your database, you need to have a DB instance in your private subnet. On top of that, the DB should only be allowed to reply to the Internet via NAT. Therefore, option 4 is the correct answer.
EC2 instances located on public subnets can send outbound traffic directly to the Internet, but EC2 instances located on private subnets cannot. Instead, instances located on the private subnet can use a Network Address Translation (NAT) gateway located on the public subnet to return traffic to the Internet side. This allows the database server to connect to the Internet through a NAT instance for software updates, but a connection to the database server from the Internet cannot be established.
Options 1 and 2 are incorrect. If you build the database in the public subnet, you can access it directly from the Internet, so it is better to install it in the private subnet.
Option 3 is incorrect. After building the database in a private subnet, the security group controls inbound traffic. Security groups can restrict access to your database by allowing access only from specific EC2 instances.

Question 2:
Your company operates infrastructure located on AWS’s private and public subnets. A database server is installed in the private subnet. In addition, a NAT instance is installed in the public subnet because the instance in the private subnet sends the reply traffic to the Internet side. Recently, you have discovered that your NAT instance is becoming bottlenecked.
How should you do to solve this issue?
Options:
A. Use VPC connection for a wider bandwidth
B. Set access settings using VPC endpoints
C. Change the NAT instance to a NAT gateway
D. Scale-up the NAT instance
Answer: C
Explanation
Option 3 is the correct answer. A NAT gateway is a managed service that you can use instead of a NAT instance. Since availability is guaranteed as a managed service on the AWS side, using a NAT gateway will improve the bottleneck of your current NAT instance. Scaling, such as changing the instance type of the NAT instance itself, can help, but it does not guarantee that the problem will not occur in the future. Therefore, you can easily improve performance and eliminate bottlenecks by changing your NAT instance to a NAT gateway.
Option 1 is incorrect. There is no function called VPC connection.
Option 2 is incorrect. A VPC endpoint is a communication path used to connect AWS resources from inside to outside the VPC.
Option 4 is incorrect. It is possible to deal with this by extending the NAT instance, but AWS provides a NAT gateway as a managed service, so it is more effective to use this instead.

Question 3:
The DevOps team at an IT company is provisioning a two-tier application in a VPC with a public subnet and a private subnet. The team wants to use either a NAT instance or a NAT gateway in the public subnet to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet but needs some technical assistance in terms of the configuration options available for the NAT instance and the NAT gateway.
As a solutions architect, which of the following options would you identify as CORRECT? (Select three)
• Security Groups can be associated with a NAT instance (Correct)
• NAT instance can be used as a bastion server (Correct)
• Security Groups can be associated with a NAT gateway
• NAT gateway supports port forwarding
• NAT gateway can be used as a bastion server
• NAT instance supports port forwarding (Correct)
Explanation
Correct options:
NAT instance can be used as a bastion server
Security Groups can be associated with a NAT instance
NAT instance supports port forwarding
A NAT instance or a NAT Gateway can be used in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet.
How NAT Gateway works: via – https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
How NAT Instance works: via – https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
Please see this high-level summary of the differences between NAT instances and NAT gateways relevant to the options described in the question:
via – https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
Incorrect options:
NAT gateway supports port forwarding
Security Groups can be associated with a NAT gateway
NAT gateway can be used as a bastion server
These three options contradict the details provided in the explanation above, so these options are incorrect.