Why does a AWS NAT Gateway require an ElasticIP?

Question

While creating NAT Gateway an Elastic IP Address is created in AWS. The AWS documentation ( 1 ) also mentions the same. Why is an Elastic IP Address required for NAT Gateway?

Answer 1

Simply stated, the EIP is required because that is the way the NAT Gateway feature was engineered.

It wouldn't make sense to have a dynamic address on a NAT device -- if the address changed, that would be guaranteed to break any sessions in progress... and the only way to allocate a static address is by allocating an Elastic IP address (EIP).

It's also common to have external vendors whitelist your servers (for access to their servers) by providing them with the EIP of your NAT Gateway, in which case a dynamic address from the public pool would be unacceptable.

There may also be internal, proprietary reasons related to the way EIPs function that made this requirement a necessity... but that is not documented, so such an assertion would be mere speculation. An example of this: the public pool addresses (like those auto-assigned to EC2 instances configured with a public IP address from the pool, not an EIP) might be engineered to the specific availability zone, or even a subset of a single availability zone (they do, after all, change, when an instance is stopped/started, implying that they might be dedicated to specific server bays within an AZ), while EIPs can migrate anywhere from one zone to another within a region. This strongly implies different internal topologies.

This requirement (constraint?), to me, seems insignificant: you shouldn't be charged for this EIP, and if you need to increase the maximum allowed number of EIPs in a region, you can submit a support request at no charge, describing your use case, to request a limit increase.

Answer 2

The EIP requirement is rather arbitrary. Having a static IP makes coding the NAT easier (it doesn't have to check the WAN Interface for upstream address changes) but NATs that support a dynamic upstream address are very common - almost every home served by a major ISP has one. Sure, there's a risk the external address might change and break the current connections, but the ISPs know this and try hard NOT to change the address. Generally it changes only when you reboot the router, and at that point all your connections are broken anyway.

On AWS there there are many similar scenarios where you don't care if your NAT gateways external address changes, especially if your VPC does not contain any public servers. I have a lot of these, and I'm trying to run them on free accounts - it annoys me that they force me to burn through my short supply of static IPs.

As others observed this is a small expense, and AWS is still way cheaper than any other way I know to get this kind of cloud power; but that EIP is not strictly required.

Answer 3

一点都不重要，您只能拥有 5 个 EIP，因此在两个可用区中拥有 2 或 3 个应用程序将达到该阈值。

Answer 4

I think what the answers here are missing is that the NAT Gateway (NATG) traffic is still being routed through an Internet Gateway (IGW), which performs static (one private IP to one public IP) NAT. As the image in the question indicates, the Elastic IP (EIP) is an association . It is the IGW that is translating the NATG's private IP to its associated public EIP.

This EIP requirement is therefore consistent from an AWS implementation perspective for any resource (eg EC2 instance) in a public subnet accessing the internet through an IGW.

Answer 5

As of June 2021, the AWS NAT Gateway does not require an ElasticIP (if you choose "Private" mode):

A private NAT Gateway, or NAT Gateway with connectivity type set to private, does not require EIP and you do not need to attach an internet gateway with your VPC.

https://aws.amazon.com/about-aws/whats-new/2021/06/aws-removes-nat-gateways-dependence-on-internet-gateway-for-private-communications/

Answer 6

Let's say you have private network instances, how will they connect to internet? That's when NAT comes in. NAT ip is public. And private subnets can be associated with NAT. So in that way, the instance in private subnet can connect to internet using NAT. This is very useful when you have server to whitelist your ip. Just give them the NAT EIP and problem solved.