patternMinor
One NAT attachment for two private subnets
Viewed 0 times
attachmentprivatesubnetsonetwofornat
Problem
I have two NAT gateway attachments for two private subnets in AWS. Is it possible to have one NAT gateway attachment for two private subnets so that I can save one EIP?
Solution
Remember that you should be engineering to your requirements around cost, resilience and performance.
If your constraint is around cost, then yes, a single NAT gateway, with both subnets having routing tables that route public IP traffic to the NAT gateway is a viable approach. If you are this cost sensitive, are you sure that AWS is the right hosting environment?
If your constraint is around having all traffic arrive on the internet from a single elastic IP address, then may i suggest that having two NAT gateways in different subnets in different AZ's is a better choice. You will need one elastic IP address on the active NAT gateway, with routing tables for the private subnets pointing internet traffic to the active NAT gateway. In the event of a network failure, have a script that moves the elastic IP address to the standby NAT, and then update the route tables to send internet traffic to the second NAT, making it now the active NAT.
Do not fall into the false economy of thinking that you can spin up the replacement NAT at failover time, as it only takes a few seconds. When large catastrophic failures happen within AWS, the processes for the creation of new resources into the surviving AZ's become far busier than normal, and new requests seem to be queued. you would have an unpredictable RTO with this approach. A single NAT should be treated as accepting that on rare occasions, a 12 hour outage is acceptable.
If your constraint is around cost, then yes, a single NAT gateway, with both subnets having routing tables that route public IP traffic to the NAT gateway is a viable approach. If you are this cost sensitive, are you sure that AWS is the right hosting environment?
If your constraint is around having all traffic arrive on the internet from a single elastic IP address, then may i suggest that having two NAT gateways in different subnets in different AZ's is a better choice. You will need one elastic IP address on the active NAT gateway, with routing tables for the private subnets pointing internet traffic to the active NAT gateway. In the event of a network failure, have a script that moves the elastic IP address to the standby NAT, and then update the route tables to send internet traffic to the second NAT, making it now the active NAT.
Do not fall into the false economy of thinking that you can spin up the replacement NAT at failover time, as it only takes a few seconds. When large catastrophic failures happen within AWS, the processes for the creation of new resources into the surviving AZ's become far busier than normal, and new requests seem to be queued. you would have an unpredictable RTO with this approach. A single NAT should be treated as accepting that on rare occasions, a 12 hour outage is acceptable.
Context
StackExchange DevOps Q#11665, answer score: 4
Revisions (0)
No revisions yet.