The usage of NAT Gateway skyrocketed since last week. I was tasked to find the root cause of this since the AWS bill is considerably high now.
My first action was to ask people. No one is aware about any deployment that could cause this issue.
Then, I enabled the flow logs and used CloudWatch Insights to create a rank of the IPs that are hitting the NAT gateway ordered by the amount of data. There are about 6 IPs which and all of them resolve to CloudFront. I tried to nslookup and traceroute each one of the distributions we have, and also from other accounts we manage, but I could not match any of those IPs. Tried to do the same with the APIs in API Gateway. No lucky too.
What else can I do to find out what is hitting the NAT Gateway? The issue only happens in production, so I can't simply block the IPs. All I have is a bunch of IPs that are no associated to any ENI. I checked the reserved IPs from Amazon and all of them are in the CloudFront CIDR.
