简体繁体 English

为什么 AWS NAT 网关需要 ElasticIP？

[英]Why does a AWS NAT Gateway require an ElasticIP?

原文 2017-03-29 13:22:06 7 6 amazon-web-services/ ip/ nat

While creating NAT Gateway an Elastic IP Address is created in AWS.在创建 NAT 网关时，会在 AWS 中创建一个弹性 IP 地址。 The AWS documentation ( 1 ) also mentions the same. AWS 文档 ( 1 ) 也提到了这一点。 Why is an Elastic IP Address required for NAT Gateway?为什么 NAT 网关需要弹性 IP 地址？

6 个解决方案

Simply stated, the EIP is required because that is the way the NAT Gateway feature was engineered.简单地说，EIP 是必需的，因为这是设计 NAT 网关功能的方式。

It wouldn't make sense to have a dynamic address on a NAT device -- if the address changed, that would be guaranteed to break any sessions in progress... and the only way to allocate a static address is by allocating an Elastic IP address (EIP).在 NAT 设备上使用动态地址是没有意义的——如果地址发生变化，那将保证会中断正在进行的任何会话……分配静态地址的唯一方法是分配弹性 IP地址（EIP）。

It's also common to have external vendors whitelist your servers (for access to their servers) by providing them with the EIP of your NAT Gateway, in which case a dynamic address from the public pool would be unacceptable.通过向外部供应商提供您的 NAT 网关的 EIP，让外部供应商将您的服务器（用于访问其服务器）列入白名单也是很常见的，在这种情况下，来自公共池的动态地址将是不可接受的。

There may also be internal, proprietary reasons related to the way EIPs function that made this requirement a necessity... but that is not documented, so such an assertion would be mere speculation.也可能存在与 EIP 运行方式相关的内部专有原因，这使得该要求成为必要……但这没有记录在案，因此这样的断言只是猜测。 An example of this: the public pool addresses (like those auto-assigned to EC2 instances configured with a public IP address from the pool, not an EIP) might be engineered to the specific availability zone, or even a subset of a single availability zone (they do, after all, change, when an instance is stopped/started, implying that they might be dedicated to specific server bays within an AZ), while EIPs can migrate anywhere from one zone to another within a region.这方面的一个示例：公共池地址（例如那些自动分配给配置有来自池的公共 IP 地址而不是 EIP 的 EC2 实例的那些）可能被设计为特定的可用区，甚至是单个可用区的子集（毕竟，当实例停止/启动时，它们确实会发生变化，这意味着它们可能专用于 AZ 内的特定服务器托架），而 EIP 可以从一个区域的任何地方迁移到区域内的另一个区域。 This strongly implies different internal topologies.这强烈暗示了不同的内部拓扑。

This requirement (constraint?), to me, seems insignificant: you shouldn't be charged for this EIP, and if you need to increase the maximum allowed number of EIPs in a region, you can submit a support request at no charge, describing your use case, to request a limit increase.这个要求（约束？）对我来说似乎微不足道：你不应该为这个 EIP 付费，如果你需要增加一个区域内允许的最大 EIP 数量，你可以免费提交支持请求，描述您的用例，以请求增加限制。

The EIP requirement is rather arbitrary. EIP 要求相当随意。 Having a static IP makes coding the NAT easier (it doesn't have to check the WAN Interface for upstream address changes) but NATs that support a dynamic upstream address are very common - almost every home served by a major ISP has one.拥有静态 IP 可以更轻松地对 NAT 进行编码（它不必检查 WAN 接口以了解上游地址的变化），但支持动态上游地址的 NAT 非常常见 - 几乎每个主要 ISP 服务的家庭都有一个。 Sure, there's a risk the external address might change and break the current connections, but the ISPs know this and try hard NOT to change the address.当然，外部地址可能会更改并中断当前连接，但 ISP 知道这一点并努力不更改地址。 Generally it changes only when you reboot the router, and at that point all your connections are broken anyway.通常，它仅在您重新启动路由器时才会更改，并且此时您的所有连接都会中断。

On AWS there there are many similar scenarios where you don't care if your NAT gateways external address changes, especially if your VPC does not contain any public servers.在 AWS 上有许多类似的场景，您不需要关心您的 NAT 网关外部地址是否更改，尤其是在您的 VPC 不包含任何公共服务器的情况下。 I have a lot of these, and I'm trying to run them on free accounts - it annoys me that they force me to burn through my short supply of static IPs.我有很多这样的，我正在尝试在免费帐户上运行它们——它们强迫我消耗我供不应求的静态 IP，这让我很恼火。

As others observed this is a small expense, and AWS is still way cheaper than any other way I know to get this kind of cloud power;正如其他人所观察到的那样，这是一笔不小的开支，而且 AWS 仍然比我所知道的获得这种云计算能力的任何其他方式便宜得多； but that EIP is not strictly required.但 EIP 并不是严格要求的。

一点都不重要，您只能拥有 5 个 EIP，因此在两个可用区中拥有 2 或 3 个应用程序将达到该阈值。

I think what the answers here are missing is that the NAT Gateway (NATG) traffic is still being routed through an Internet Gateway (IGW), which performs static (one private IP to one public IP) NAT.我认为这里缺少的答案是 NAT 网关 (NATG) 流量仍在通过 Internet 网关 (IGW) 路由，该网关执行静态（一个私有 IP 到一个公共 IP）NAT。 As the image in the question indicates, the Elastic IP (EIP) is an association .正如问题中的图片所示，弹性 IP (EIP) 是一个关联。 It is the IGW that is translating the NATG's private IP to its associated public EIP.将 NATG 的私有 IP 转换为其关联的公共 EIP 的是 IGW。

This EIP requirement is therefore consistent from an AWS implementation perspective for any resource (eg EC2 instance) in a public subnet accessing the internet through an IGW.因此，从 AWS 实施的角度来看，此 EIP 要求对于通过 IGW 访问 Internet 的公共子网中的任何资源（例如 EC2 实例）是一致的。

As of June 2021, the AWS NAT Gateway does not require an ElasticIP (if you choose "Private" mode):自 2021 年 6 月起，AWS NAT 网关不再需要 ElasticIP（如果您选择“私有”模式）：

A private NAT Gateway, or NAT Gateway with connectivity type set to private, does not require EIP and you do not need to attach an internet gateway with your VPC.私有 NAT 网关或连接类型设置为私有的 NAT 网关不需要 EIP，并且您不需要将 Internet 网关与您的 VPC 连接。

https://aws.amazon.com/about-aws/whats-new/2021/06/aws-removes-nat-gateways-dependence-on-internet-gateway-for-private-communications/ https://aws.amazon.com/about-aws/whats-new/2021/06/aws-removes-nat-gateways-dependence-on-internet-gateway-for-private-communications/

Let's say you have private network instances, how will they connect to internet?假设您有私有网络实例，它们将如何连接到互联网？ That's when NAT comes in. NAT ip is public.那是NAT进来的时候。NAT ip是公共的。 And private subnets can be associated with NAT.私有子网可以与 NAT 关联。 So in that way, the instance in private subnet can connect to internet using NAT.所以通过这种方式，私有子网中的实例可以使用 NAT 连接到互联网。 This is very useful when you have server to whitelist your ip.当您有服务器将您的 IP 列入白名单时，这非常有用。 Just give them the NAT EIP and problem solved.只需给他们 NAT EIP 即可解决问题。