Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create NAT Gateways in at Least Two Availability Zones

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your NAT gateways are deployed in at least two Availability Zones (AZs) in order to enable EC2 instances available within private subnets to connect to the Internet or to other AWS services but prevent the Internet from initiating a connection with those instances. AWS Availability Zones are distinct locations that are engineered to be isolated from failures occurred in other zones. Each NAT gateway must be deployed within a specific Availability Zone to receive the redundancy implemented in that zone.

Security

If you have EC2 instances in multiple Availability Zones and these share one NAT gateway, in the event of AZ failure the NAT gateway becomes unavailable and the resources within other Availability Zones lose internet access. To create a fault-tolerant architecture, make sure that your AWS NAT gateways are deployed in at least two Availability Zones (AZs).

Audit

To determine if your Amazon NAT gateways were deployed in at least two Availability Zones, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

04 In the navigation panel, under Virtual Private Cloud, click NAT Gateways. If there is just one NAT gateway deployed, all the EC2 instances within private subnets share the same gateway, therefore the architecture is not compliant.

05 Select the NAT gateway that you want to examine.

06 Select the Details tab from the dashboard bottom panel.

07 On the Details panel, click on the subnet ID (link) assigned to the Subnet configuration attribute to access the subnet resource where the selected NAT gateway was created.

08 On the Summary panel, verify the value set for the Availability Zone attribute to identify the AZ where the selected subnet resides.

09 Repeat steps no. 4 – 8 to check the other gateways available within the selected region (if any) for the Availability Zone used. If the verified NAT gateways were deployed within subnets that share the same Availability Zone, the architecture used is not compliant.

10 Change the AWS region from the navigation bar and repeat steps no. 4 – 9 for other regions.

Using AWS CLI

01 Run describe-nat-gateways command (OSX/Linux/UNIX) using custom query filters to describe all the NAT gateways deployed inside your VPC and list the subnets used at deployment: 

aws ec2 describe-nat-gateways
	--region us-east-1
	--filter Name=vpc-id,Values=vpc-12345678
	--query "NatGateways[*].{NatGatewayId:NatGatewayId, SubnetId:SubnetId}"

02 If the command output returns the metadata for just one NAT gateway, the EC2 instances available within private subnets share the same gateway, therefore the architecture is not compliant. Otherwise, the command output should return the ID and the subnet ID of each NAT gateway deployed within the selected VPC, as shown in the example above: 

[
    {
        "SubnetId": "subnet-1234abcd",
        "NatGatewayId": "nat-01234567890abcabc"
    },
    {
        "SubnetId": "subnet-abcd1234",
        "NatGatewayId": "nat-01234567890bcabca"
    }
]

03 Run describe-subnets command (OSX/Linux/UNIX) using the IDs of the VPC subnets returned at the previous steps as identifiers and custom query filters to describe the Availability Zones where the specified subnets were created: 

aws ec2 describe-subnets
	--region us-east-1
	--subnet-ids subnet-1234abcd subnet-abcd1234
	--query "Subnets[*].{SubnetId:SubnetId, AvailabilityZone:AvailabilityZone}"

04 The command output should return the Availability Zones (AZs) where the NAT gateway subnets were deployed: 

[
    {
        "SubnetId": "subnet-1234abcd",
        "AvailabilityZone": "us-east-1d"
    },
    {
        "SubnetId": "subnet-abcd1234",
        "AvailabilityZone": "us-east-1d"
    }
]

If describe-subnets command output returns the same value for the "AvailabilityZone" attribute, as shown in the example above, the verified NAT gateways were deployed within subnets that share the same Availability Zone, therefore the architecture used is not compliant.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.

Remediation / Resolution

To deploy your NAT gateways in at least two Availability Zones (AZs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

04 In the navigation panel, under Virtual Private Cloud, click NAT Gateways.

05 Click Create NAT Gateway button from the dashboard top menu to initiate the setup process.

06 On Create NAT Gateway page, perform the following:

  1. Click inside the Subnet box and select the public subnet in which the new NAT gateway will reside.
  2. Click inside the Elastic IP Allocation ID box and select the Elastic IP address to associate with the NAT gateway at deployment. If there are no Elastic IPs (EIPs) available, click Create New EIP to allocate a new one and associate it automatically with the gateway.
  3. Click Create a NAT Gateway to deploy your new NAT gateway. If successful, the following message should be returned: "Your NAT gateway has been created. NAT Gateway ID: <GATEWAY_ID>." The new gateway will enable EC2 instances inside your private subnets to communicate with the Internet. Click Close to return to the VPC dashboard.

07 Repeat step no. 5 and 6 to create more Amazon NAT gateways (at least one more in a different AZ), inside the selected VPC, within the current AWS region.

08 If necessary, change the AWS region from the navigation bar and repeat steps no. 5 – 7 for other regions.

Using AWS CLI

01 Run create-nat-gateway command (OSX/Linux/UNIX) to create a new NAT gateway inside the specified subnet (preferred AZ) and associate it with an Elastic IP address. The following command example creates a NAT gateway within a VPC subnet identified by the ID "subnet-abcd1234", using an Elastic IP address identified by the ID "eipalloc-1234abcd", in the US East (N. Virginia) region: 

aws ec2 create-nat-gateway
	--region us-east-1
	--subnet-id subnet-abcd1234
	--allocation-id eipalloc-1234abcd

02 The command output should return the new NAT gateway metadata: 

{
    "NatGateway": {
        "NatGatewayAddresses": [
            {
                "AllocationId": "eipalloc-1234abcd"
            }
        ],
        "VpcId": "vpc-12345678",
        "State": "pending",
        "NatGatewayId": "nat-01234567890dddeee",
        "SubnetId": "subnet-abcd1234",
        "CreateTime": "2018-04-12T16:52:42.000Z"
    }
}

03 Change the --subnet-id parameter value (i.e. subnet ID) and repeat step no. 1 to create more AWS NAT gateways (at least one more in a different Availability Zone), within the selected AWS region.

04 If necessary, change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

Publication date Apr 18, 2018

Related VPC rules