6

I'm not sure what caused it, maybe Elastic Beanstalk, but at some point AWS created me a "NAT Gateway" which costs more than my EC2 server instances themselves.

What does it do, why does it cost so much, and why do I need it for things like EC2?

It seems like I can I do without it, just delete it, and things still work while saving a ton?

atkayla
  • 201
  • 2
  • 7

2 Answers2

5

AWS say

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. For more information about NAT, see NAT.

In short, it's an internet proxy that lets you initiate outgoing connections, but prevents anyone initiating connections to you. It's for security.

AWS don't tend to create resources without you asking for them. The VPC Wizard will sometimes create one of these when you create your VPC.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • Thanks! I just have a simple Node.js EC2 app + S3 + RDS. The EC2 hosts a public API that a mobile app will be hitting, so it sounds like I actually want others to initiate connections to the EC2, or no? I won't be initiating outgoing connections, just within the AWS services that I have, S3 + RDS. Maybe this NAT Gateway was created with Elastic Beanstalk and I didn't notice. – atkayla Sep 30 '18 at 01:42
  • It does't sound like you need a NAT gateway to me. – Tim Sep 30 '18 at 02:38
5

In short - NAT Gateway provides public internet access to EC2 instances without public IP address.

Whether or not you can remove the NAT Gateway depends on your VPC and EC2 configuration.

  • If your EC2 instance is in a subnet with IGW (Internet Gateway) and has public or elastic IP attached then you don't need NAT gateway.

  • If your EC2 instance is in a subnet without IGW you do need NAT gateway.

If you want to remove the NAT gateway make sure your EC2 instance has a public IP attached to it an it's in a subnet with IGW.

Also note that adding a public IP to your instance puts it directly on the public internet - double check the instance Security Group (i.e. firewall) to ensure it's locked down as much as possible.

MLu
  • 24,849
  • 5
  • 59
  • 86
  • Hi, thank you so much for the clarification! I confirmed my EC2 has a VPC, which has a subnet, which has IGW. I see that I have an elastic IP, but is not attached to anything, and the EC2 lists Elastic IP as blank, so by default the EC2 seems to have a public IP? While I know the definitions a little better, can you give me some good examples of when to require a NAT Gateway? I just have a simple Node.js EC2 app that connects to S3 and RDS. It is a PUBLIC API. The EC2 needs access to AWS services like S3 and RDS, but will not be making external API calls. It sounds like I don't need NAT? – atkayla Sep 30 '18 at 01:37
  • @kayla S3 access requires a NAT Gateway *unless* your instance has a public IP and is on a public subnet, or you have an S3 endpoint inside the VPC accessible from the subnet (in which case, the bucket must be in the same region). If the instance's public IP is not an EIP it will change when the instance is stopped and started. – Michael - sqlbot Sep 30 '18 at 20:10