24

While creating NAT Gateway an Elastic IP Address is created in AWS. The AWS documentation (1) also mentions the same. Why is an Elastic IP Address required for NAT Gateway?

Creating NAT Gateway

Praveen Sripati
  • 32,799
  • 16
  • 80
  • 117

6 Answers6

28

Simply stated, the EIP is required because that is the way the NAT Gateway feature was engineered.

It wouldn't make sense to have a dynamic address on a NAT device -- if the address changed, that would be guaranteed to break any sessions in progress... and the only way to allocate a static address is by allocating an Elastic IP address (EIP).

It's also common to have external vendors whitelist your servers (for access to their servers) by providing them with the EIP of your NAT Gateway, in which case a dynamic address from the public pool would be unacceptable.

There may also be internal, proprietary reasons related to the way EIPs function that made this requirement a necessity... but that is not documented, so such an assertion would be mere speculation. An example of this: the public pool addresses (like those auto-assigned to EC2 instances configured with a public IP address from the pool, not an EIP) might be engineered to the specific availability zone, or even a subset of a single availability zone (they do, after all, change, when an instance is stopped/started, implying that they might be dedicated to specific server bays within an AZ), while EIPs can migrate anywhere from one zone to another within a region. This strongly implies different internal topologies.

This requirement (constraint?), to me, seems insignificant: you shouldn't be charged for this EIP, and if you need to increase the maximum allowed number of EIPs in a region, you can submit a support request at no charge, describing your use case, to request a limit increase.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • 1
    Thanks for the response. Yes, it's insignificant. But, I was curious why EIP was required for NAT GW. – Praveen Sripati Mar 30 '17 at 03:11
  • Hi Michael , would external vendors needs to know the IP addresses of NAT gateway to whitelist on their end? Do the router and internet gateway act as pass through and don't have ip addresses associated? However it seems to be pretty similar to any public EC2 instance in public subnet - I guess they also may need elastic IP addresses if external vendors have to whitelist. – Punter Vicky Apr 28 '19 at 21:46
  • 1
    @PunterVicky yes, the EIP of the NAT Gateway is what would be visible on the other end of outbound connections. The router and Internet Gatewy do not have their own IPs. – Michael - sqlbot Apr 28 '19 at 22:48
  • Honestly - not really. You could have dynamic IP assigned by AWS automatically, as it would only change when the NAT Gateway would restart - which would mean you lose open sessions anyway. The point with whitelisting our NAT GW is valid point but if we don't have such purpose, then I don't really need it as justified to require Elastic IP for NAT GW. – tymik Nov 27 '22 at 21:39
  • @tymik NAT Gateways don't restart. NAT Gateways are virtual devices provided by the network infrastructure. There's no operational reason why a NAT Gateway's IP address would ever need to change. – Michael - sqlbot Nov 30 '22 at 17:00
12

The EIP requirement is rather arbitrary. Having a static IP makes coding the NAT easier (it doesn't have to check the WAN Interface for upstream address changes) but NATs that support a dynamic upstream address are very common - almost every home served by a major ISP has one. Sure, there's a risk the external address might change and break the current connections, but the ISPs know this and try hard NOT to change the address. Generally it changes only when you reboot the router, and at that point all your connections are broken anyway.

On AWS there there are many similar scenarios where you don't care if your NAT gateways external address changes, especially if your VPC does not contain any public servers. I have a lot of these, and I'm trying to run them on free accounts - it annoys me that they force me to burn through my short supply of static IPs.

As others observed this is a small expense, and AWS is still way cheaper than any other way I know to get this kind of cloud power; but that EIP is not strictly required.

jbartas
  • 327
  • 2
  • 6
5

No insignificant at all, you are only allowed to have 5 EIPs, so having 2 or 3 apps in two availability zones will hit that threshold.

user2818032
  • 101
  • 1
  • 5
2

As of June 2021, the AWS NAT Gateway does not require an ElasticIP (if you choose "Private" mode):

A private NAT Gateway, or NAT Gateway with connectivity type set to private, does not require EIP and you do not need to attach an internet gateway with your VPC.

https://aws.amazon.com/about-aws/whats-new/2021/06/aws-removes-nat-gateways-dependence-on-internet-gateway-for-private-communications/

N R
  • 333
  • 3
  • 14
0

I think what the answers here are missing is that the NAT Gateway (NATG) traffic is still being routed through an Internet Gateway (IGW), which performs static (one private IP to one public IP) NAT. As the image in the question indicates, the Elastic IP (EIP) is an association. It is the IGW that is translating the NATG's private IP to its associated public EIP.

This EIP requirement is therefore consistent from an AWS implementation perspective for any resource (e.g. EC2 instance) in a public subnet accessing the internet through an IGW.

Pero P.
  • 25,813
  • 9
  • 61
  • 85
0

Let's say you have private network instances, how will they connect to internet? That's when NAT comes in. NAT ip is public. And private subnets can be associated with NAT. So in that way, the instance in private subnet can connect to internet using NAT. This is very useful when you have server to whitelist your ip. Just give them the NAT EIP and problem solved.

zawhtut
  • 8,335
  • 5
  • 52
  • 76