Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Allocate Elastic IPs for NAT Gateways

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that an Elastic IP (EIP) is allocated for each NAT gateway that you want to deploy within your AWS account. An EIP address is a static, public IP address designed for dynamic cloud computing. You can associate an AWS EIP address with any EC2 instance, VPC ENI or NAT gateway. A Network Address Translation (NAT) gateway is a device that helps enabling EC2 instances in a private subnet to connect to the Internet and prevent the Internet from initiating a connection with those instances. With Elastic IPs, you can mask the failure of an EC2 instance by rapidly remapping the address to another instance launched in your VPC.

Security

To be able to use AWS NAT gateways that allow Internet access from the private subnet of your VPC, make sure that an Elastic IP is allocated for each NAT gateway that you want to deploy.

Audit

To determine if there are any Elastic IPs (EIPs) allocated for the NAT gateways available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

04 In the navigation panel, under Virtual Private Cloud, click Elastic IPs.

05 Select the EIP that you want to examine.

06 Select the Description tab from the dashboard bottom panel.

07 On the Description panel, check the Association ID attribute for any value. The attribute value should be an ID, e.g. "eipalloc-abcd1234", if the selected EIP is already associated with an instance/network interface/NAT gateway or hyphen (‐) if the selected Elastic IP is not currently associated with any AWS resources and is available for association.

08 Repeat steps no. 5 – 7 to check the other EIPs available within the selected region for their association status. If all EIPs are already associated with AWS resources, there are no AWS Elastic IPs allocated for any NAT gateways that you need to deploy in the selected region.

09 Change the AWS region from the navigation bar and repeat steps no. 5 – 8 for other regions.

Using AWS CLI

01 Run describe-addresses command (OSX/Linux/UNIX) with custom query filters to check for allocated Elastic IPs that are not currently associated with any AWS resources (instances, ENIs or NAT gateways), available within US East (N. Virginia) region: 

aws ec2 describe-addresses
	--region us-east-1
	--filters Name=domain,Values=vpc
	--query "Addresses[?AssociationId == null]"

02 The command output should return the metadata of the EIPs that are not associated with AWS resources: 

[]

If describe-addresses command output returns an empty array (i.e. []), as shown in the example above, the existing EIPs are already associated with AWS resources, therefore there are no Elastic IPs currently allocated for NAT gateways that you want to deploy in the selected region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to check for allocated and unused EIPs available in other regions.

Remediation / Resolution

To allocate an AWS Elastic IP for each NAT gateway that you want to deploy within your VPC, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

04 In the navigation panel, under Virtual Private Cloud, click Elastic IPs.

05 Click Allocate new address button from the dashboard top menu to initiate the setup process.

06 On Allocate new address page, click Allocate to finish the setup. If successful, the following message should be returned: "New address request succeeded. Elastic IP <EIP>." Click Close to return to the VPC dashboard.

07 Now you can deploy and associate the necessary NAT gateway with the newly created EIP.

08 Repeat step no. 5 and 6 if you need to create more Elastic IPs for NAT gateways that you want to deploy inside the selected Virtual Private Cloud (VPC).

09 If required, change the AWS region from the navigation bar and repeat steps no. 5 – 8 for other regions.

Using AWS CLI

01 Run allocate-address command (OSX/Linux/UNIX) to allocate an Elastic IP address for the new NAT gateway that you want to deploy within your VPC, in the selected AWS region: 

aws ec2 allocate-address
	--region us-east-1
	--domain vpc

02 The command output should return the new AWS EIP metadata: 

{
    "PublicIp": "<PUBLIC_IPv4_ADDRESS>",
    "Domain": "vpc",
    "AllocationId": "eipalloc-1234abcd"
}

03 Once the Elastic IP is allocated, you can deploy and associate your NAT gateway with the newly created EIP.

04 Repeat step no. 1 and 2 if you need to create more Elastic IPs for NAT gateways that you want to deploy inside the selected VPC.

05 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.

References

Publication date May 5, 2018

Related VPC rules