Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Managed NAT Gateway in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VPC-003

Ensure that your Amazon VPC network uses the highly available Managed NAT Gateway service instead of an NAT instance in order to enable EC2 instances running within a private subnet to connect to the Internet or with other AWS components.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

AWS provides two types of NAT devices: Managed NAT Gateways and NAT instances instantiated from a public AMIs. Using the Managed NAT Gateway service instead of an NAT instance to forward traffic for the EC2 instances available in a private subnet has multiple advantages. For example, the Managed NAT Gateway provides built-in redundancy for high availability (using the multi-AZ configuration) compared to the NAT instance which use just a script to manage failover, Managed NAT Gateway provides better bandwidth (traffic bursts up to 10Gbps) than the NAT instance which is limited to the bandwidth allocated for the EC2 instance type used. Lastly, the Managed NAT Gateway service is using optimized software to handle NAT traffic and is fully managed by AWS compared to the NAT instance which is not optimized and requires scaling and regular maintenance such as installing software updates or security patches.

Audit

To determine if your Virtual Private Clouds (VPCs) are using Managed NAT Gateways as NAT devices, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

04 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose NAT Gateways.

05 Search for any Managed NAT Gateways available in the NAT gateways section. If there are no gateways listed in the NAT gateways section, the selected Virtual Private Cloud (VPC) is not using Managed NAT Gateways.

06 Repeat steps no. 3 – 5 for other Virtual Private Clouds (VPCs) available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) with custom query filters to list the IDs of the VPC networks available in the selected AWS region: 

aws ec2 describe-vpcs
  --region us-east-1
  --query 'Vpcs[*].VpcId'

02 The command output should return the ID of each Virtual Private Cloud (VPC) available: 

[
	"vpc-abcd1234",
	"vpc-1234abcd"
]

03 Run describe-nat-gateways command (OSX/Linux/UNIX) using the ID of the VPC network that you want to examine as the identifier parameter, to list the NAT Gateway devices created for the selected VPC: 

aws ec2 describe-nat-gateways
  --region us-east-1
  --filter "Name=vpc-id,Values=vpc-abcd1234" "Name=state,Values=available"
  --query 'NatGateways'

04 The command output should return the NAT Gateway devices available for the selected VPC: 

[]

If the describe-nat-gateways command output returns an empty array (i.e. []), as shown in the output example above, the selected Virtual Private Cloud (VPC) is not using Managed NAT Gateways.

05 Repeat steps no. 3 and 4 for other Virtual Private Clouds (VPCs) available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Managed NAT Gateway service for your VPC networks, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"VPCNetwork": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NATGatewayEIP": {
			"Type": "AWS::EC2::EIP",
			"Properties": {
				"Domain": "vpc"
			}
		},
		"NATGateway": {
			"Type": "AWS::EC2::NatGateway",
			"Properties": {
				"AllocationId": {
					"Fn::GetAtt": [
						"NATGatewayEIP",
						"AllocationId"
					]
				},
				"SubnetId": {
					"Ref": "PublicSubnet"
				}
			}
		},
		"VPCRouteTable": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {
					"Ref": "VPCNetwork"
				}
			}
		},
		"VPCRoute": {
			"DependsOn": "NATGateway",
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {
					"Ref": "VPCRouteTable"
				},
				"DestinationCidrBlock": "0.0.0.0/0",
				"NatGatewayId": {
					"Ref": "NATGateway"
				}
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	VPCNetwork:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 10.0.0.0/16
	NATGatewayEIP:
		Type: AWS::EC2::EIP
		Properties:
		Domain: vpc
	NATGateway:
		Type: AWS::EC2::NatGateway
		Properties:
		AllocationId: !GetAtt 'NATGatewayEIP.AllocationId'
		SubnetId: !Ref 'PublicSubnet'
	VPCRouteTable:
		Type: AWS::EC2::RouteTable
		Properties:
		VpcId: !Ref 'VPCNetwork'
	VPCRoute:
		DependsOn: NATGateway
		Type: AWS::EC2::Route
		Properties:
		RouteTableId: !Ref 'VPCRouteTable'
		DestinationCidrBlock: '0.0.0.0/0'
		NatGatewayId: !Ref 'NATGateway'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_vpc" "vpc-network" {
	cidr_block = "10.0.0.0/16"
}

resource "aws_nat_gateway" "nat-gateway" {
	allocation_id = aws_eip.eip.id
	subnet_id     = aws_subnet.vpc-subnet.id
	depends_on    = [aws_internet_gateway.internet-gateway]
}

resource "aws_route_table" "vpc-route-table" {
	vpc_id = aws_vpc.vpc-network.id
	route {
	cidr_block     = "0.0.0.0/0"
	nat_gateway_id = aws_nat_gateway.nat-gateway.id
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to access from the Select a VPC dropdown menu.

04 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose NAT Gateways.

05 Choose Create NAT gateway from the console top menu and perform the following operations:

  1. (Optional) For Name – optional, provide a unique name for the new managed gateway.
  2. For Subnet, choose the public VPC subnet in which to create the Managed NAT Gateway. To replace your existing NAT instance with a Managed NAT Gateway, make sure you choose the same subnet and replace the necessary route in the route table with a new entry that points to the managed gateway.
  3. For Elastic IP allocation ID, select an existing Elastic IP address (EIP) or create a new one by using the Allocate Elastic IP button.
  4. (Optional) For Tags, use the Add new tag button to create and apply tags to the new gateway. You can use the tags to organize, track, or control access for your cloud resource.
  5. Choose Create NAT gateway to create your new Managed NAT Gateway.

06 Select the newly created gateway, choose the Details tab, and click on the VPC attribute value (link) to access the associated VPC.

07 Select the VPC network, choose the Details tab, and click on the Main route table attribute value (link) to access main route table configured for the VPC.

08 Select the route table, choose the Routes tab, and click on the Edit routes button.

09 On the Edit routes configuration page, choose Add route to set up a new route for your Managed NAT Gateway. Type 0.0.0.0/0 in the Destination box and select the ID of the new gateway from the Target dropdown list. (Optional) To replace your existing NAT instance with the new NAT Gateway, remove the NAT instance entry from the route table by clicking the Remove button. Choose Save changes to apply the configuration changes.

10 Repeat steps no. 3 – 9 for each Virtual Private Cloud (VPC) created within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run allocate-address command (OSX/Linux/UNIX) to create a new Elastic IP address (EIP) in the selected AWS region: 

aws ec2 allocate-address 
  --region us-east-1
  --domain vpc

02 The command output should return the metadata available for the new EIP: 

{
	"PublicIp": "10.10.0.5",
	"Domain": "vpc",
	"AllocationId": "eipalloc-abcd1234"
}

03 Run describe-vpcs command (OSX/Linux/UNIX) with custom query filters to list the IDs of the VPC networks available in the selected AWS region: 

aws ec2 describe-vpcs
  --region us-east-1
  --query 'Vpcs[*].VpcId'

04 The command output should return the ID of each Virtual Private Cloud (VPC) available: 

[
	"vpc-abcd1234",
	"vpc-1234abcd"
]

05 Run describe-subnets command (OSX/Linux/UNIX) to list the subnets (public and private) created for the VPC that you want to associate with a Managed NAT Gateway: 

aws ec2 describe-subnets
  --region us-east-1
  --filters "Name=vpc-id,Values=vpc-abcd1234"

06 The command output should return the metadata for each VPC subnet in use: 

{
	"Subnets": [
		{
			"VpcId": "vpc-abcd1234",
			"Tags": [
				{
					"Value": "Public subnet",
					"Key": "Name"
				}
			],
			"CidrBlock": "10.0.0.0/24",
			"MapPublicIpOnLaunch": false,
			"DefaultForAz": false,
			"State": "available",
			"AvailabilityZone": "us-east-1a",
			"SubnetId": "subnet-12341234",
			"AvailableIpAddressCount": 251
		},
		{
			"VpcId": "vpc-abcd1234",
			"Tags": [
				{
					"Value": "Private subnet",
					"Key": "Name"
				}
			],
			"CidrBlock": "10.0.1.0/24",
			"MapPublicIpOnLaunch": false,
			"DefaultForAz": false,
			"State": "available",
			"AvailabilityZone": "us-east-1b",
			"SubnetId": "subnet-abcdabcd",
			"AvailableIpAddressCount": 251
		}
	]
}

07 Run create-nat-gateway command (OSX/Linux/UNIX) to create the new Managed NAT Gateway in the specified public VPC subnet, using the Elastic IP address created earlier: 

aws aws ec2 create-nat-gateway
  --region us-east-1
  --subnet-id subnet-12341234
  --allocation-id eipalloc-abcd1234

08 The command output should return the metadata available for the new gateway: 

{
	"NatGateway": {
		"NatGatewayAddresses": [
			{
				"AllocationId": "eipalloc-abcd1234"
			}
		],
		"VpcId": "vpc-abcd1234",
		"State": "pending",
		"NatGatewayId": "nat-01234abcd1234abcd",
		"SubnetId": "subnet-12341234",
		"CreateTime": "2016-04-26T16:19:31.050Z"
	}
}

09 Run create-route command (OSX/Linux/UNIX) using the ID of VPC main route table as the identifier parameter to create a new route that matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes the traffic to the newly created NAT Gateway: 

aws ec2 create-route
  --region us-east-1
  --route-table-id rtb-0aaaabbbbccccdddd
  --destination-cidr-block 0.0.0.0/0
  --gateway-id nat-01234abcd1234abcd

10 The command output should return true if the request succeeds, otherwise, it should return an error: 

{
	"Return": true
}

11 (Optional) To replace your existing NAT instance with the new Managed NAT Gateway, run replace-route command (OSX/Linux/UNIX) using 0.0.0.0/0 for destination (the command does not produce an output): 

aws ec2 replace-route
  --region us-east-1
  --route-table-id rtb-0aaaabbbbccccdddd
  --destination-cidr-block 0.0.0.0/0
  --nat-gateway-id nat-01234abcd1234abcd

12 Repeat steps no. 1 – 11 for each Virtual Private Cloud (VPC) available in the selected AWS region.

13 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Apr 27, 2016

Related VPC rules