Sharing AWS NAT Gateway with multiple VPCs

If you already have multiple VPCs connected through Transit Gateway, we can leverage that and share one NAT gateway with other VPCs.

NAT gateway is a gateway device and performs NAT for outbound traffic. Every private subnet needs a NAT gateway to access the internet. In most cases, it is a good idea to have 2 or more NAT gateways in a VPC, diverse across AZs. That gives the maximum redundancy. But in some cases, cost may be a higher priority. If you already have multiple VPCs connected through Transit Gateway, we can leverage that and share one NAT gateway with other VPCs.

Let’s dive right in. The follow diagram illustrates how we can share a NAT gateway with multiple VPCs connected by Transit Gateway.

In this example, a dedicated Egress VPC is created for handling outbound traffic. Resources in project VPCs will utilize the NAT gateway in Egress VPC to access the Internet.

Once the VPCs are connected with Transit Gateway and a NAT gateway is deployed in EgressVPC, route tables need to be updated. On EgressVPC, create static routes for the private subnets, route the CIDR for Project VPCs to transit gateway.

On the transit gateway route table, add a default route and send packets to the EgressVPC attachment.

For inbound traffic, an Internet Gateway is still needed for each VPC. IGW are provided at no additional cost, just the traffic is on the meter.

Leave a Reply

Your email address will not be published. Required fields are marked *