AWS has recently introduced regional availability for the managed NAT Gateway service. The new capability allows developers to create a single NAT Gateway that automatically spans multiple availability zones (AZs) in a VPC, providing high availability, eliminating the need to define separate gateways and public subnets in each zone.
A NAT Gateway lets instances in a private subnet access the internet or other services outside a VPC using the NAT Gateway's IP address. With the new regional option, developers can create a NAT Gateway that spans all availability zones in a VPC, and the regional service automatically adjusts to the workload's As without requiring route table updates.
The regional NAT gateways operate in two modes: in automatic mode, AWS manages IP addresses and handles AZ changes automatically; in manual mode, customers manage IP addresses and are responsible for managing and adjusting the gateway in each AZ.
Source: AWS documentation
Highlighting the regional availability of NAT Gateway as an example of a "minor" announcement from the cloud provider that is more beneficial than the ones at re:Invent, Matt Johnson, CEO of Rayo, comments:
If you are already operating AWS at scale, these early announcements are often more impactful than the keynote launches, adding major improvements to existing services. Case in point - regional NAT gateways. Whilst not addressing cost, they offer some significant quality of life benefits - in particular, no need to manage zonal routes in private subnets (they work as a regional resource similar to the Internet Gateway), they don’t need public subnets (AWS manages that for you), and they scale across AZs as needed.
According to the documentation, while it may take up to 60 minutes to expand to a new AZ after a resource is instantiated there, until this expansion is complete, traffic from this resource is processed across zones by the regional NAT Gateway in one of the existing AZs.
Furthermore, scaling across AZs is based on the existence of workload ENIs in those AZs, not active traffic using the gateway. With many users trying to figure out the benefits and costs of the new regional approach, in a popular Reddit thread, user spicypixel asks:
Can someone smarter than me work out if this will bankrupt me compared to running 3 zonal NATs or even a single cross-AZ NAT?
User KayeYess adds:
Not sure about price cut but would definitely reduce the overhead of deploying across AZs and managing routes.
AWS suggests switching to the new regional NAT Gateways for all use cases except those requiring private connectivity, a feature not available with the regional endpoint.
In a separate announcement, the cloud provider introduced unused NAT Gateway recommendations in AWS Compute Optimizer, acknowledging that "NAT Gateways represent a substantial portion of cloud spending, yet optimizing these costs presents unique challenges." The new capability relies on CloudWatch logs from the past 32 days to determine whether a NAT has no active connections (ActiveConnectionCount = 0), no incoming packets from clients in a VPC (PacketsInFromSource = 0), and no incoming packets from the destination (PacketsInFromDestination = 0).
The new regional feature is already generally available in all regions, except GovCloud and China.