amazon-web-servicesamazon-vpcnataws-nat-gateway

Can a single NAT Gateway span across multiple AZ?


When I configure a NAT Gateway, I will have to select a subnet, hence to my understanding, one NAT Gateway for one Subnet which falls under one Availability Zones.

Then I saw the below statement

If you have resources in multiple Availability Zones and they share one NAT gateway, in the event that the NAT gateway's Availability Zone is down, resources in the other Availability Zones lose internet access, To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.

If I have multiple EC2 in different subnets, how do they share a single NAT Gateway? Did I understand wrongly? Below is the screenshot I see when I try to create a NAT Gateway

enter image description here


Solution

  • A NAT Gateway connects to a specific Subnet, and a Subnet is in a specific Availability Zone.

    Amazon EC2 instances in private subnets can use a NAT Gateway as follows:

    Depending upon your appetite for risk, you might configure things differently.

    Case 1: One public subnet, one private subnet in same AZ

    Case 2: Two public subnets, two private subnets, one NAT Gateway

    However, if there is a failure with Availability Zone A (rare, but can happen), then the NAT Gateway is not reachable from Private-Subnet-B. Thus, the system may be impacted even though it is running across two AZs.

    Case 3: Two public subnets, two private subnets, two NAT Gateways

    If one of the AZs were to fail, then the EC2 instances in the other private subnet will still be able to communicate with the Internet because they have their own NAT Gateway in the same AZ.