13.NAT
🌐 AWS NAT Gateway: Lý thuyết nền tảng cho người mới (Hiểu từ A-Z để thi cert & đi làm)¶
PHẦN 1: NAT là gì? Tại sao cần NAT?¶
Network Address Translation (NAT) - Định nghĩa¶
- NAT = quá trình thay đổi source/destination IP trong packets
- Có nhiều loại NAT:
- Static NAT: 1 private IP ↔ 1 public IP (như Internet Gateway)
- IP Masquerading: Nhiều private IP → 1 public IP (như NAT Gateway)
Vấn đề thực tế NAT giải quyết¶
🤔 Scenario: Private instances cần software updates
❌ Problem:
- Private subnet không có public IP
- Không thể connect trực tiếp ra Internet
- Making subnet public = phá vỡ security design
✅ NAT Solution:
- Cho phép outbound-only access
- Giữ nguyên private architecture
- Multiple instances share 1 public IP
Outbound-only là gì?¶
- ✅ Private instances có thể initiate connection ra Internet (software updates, API calls...)
- ❌ Internet KHÔNG thể initiate connection vào private instances
- 🔄 Response traffic được allow (stateful)
PHẦN 2: NAT Gateway vs EC2 NAT Instance¶
AWS cung cấp 2 cách làm NAT:¶
| Aspect | NAT Gateway (Recommended) | EC2 NAT Instance |
|---|---|---|
| Management | Fully managed by AWS | Self-managed |
| Availability | AZ-resilient | Single instance |
| Bandwidth | Up to 45 Gbps | Instance type limit |
| Security Groups | Cannot be assigned | Can be assigned |
| Cost | Higher | Lower (but more admin) |
| Maintenance | Zero | OS updates, patches... |
Best Practice: Dùng NAT Gateway trừ khi có requirements đặc biệt!
PHẦN 3: Kiến trúc NAT Gateway hoạt động¶
Architecture Overview¶
🏗️ NAT Gateway Architecture:
Internet ←→ Internet Gateway ←→ NAT Gateway (Public Subnet)
↕
Private Instances (Private Subnet)
Private subnet route table:
- 10.16.0.0/16 → local
- 0.0.0.0/0 → NAT Gateway
Packet Flow chi tiết¶
📦 Step-by-step packet flow:
1. Private Instance tạo packet:
Source: 10.16.32.10 (private)
Dest: 1.3.3.7 (software update server)
2. Route table → forward to NAT Gateway
3. NAT Gateway processes:
- Record vào translation table
- Change source: 10.16.32.10 → NAT_Private_IP
- Forward to Internet Gateway
4. Internet Gateway processes:
- Change source: NAT_Private_IP → NAT_Public_IP
- Send to Internet
5. Response follows reverse path
Translation Table¶
🗃️ NAT Gateway maintains translation table:
Private_IP:Port ↔ NAT_IP:Port ↔ Dest_IP:Port
10.16.32.10:1234 ↔ 172.31.1.5:5678 ↔ 1.3.3.7:443
10.16.32.20:2345 ↔ 172.31.1.5:6789 ↔ 8.8.8.8:53
PHẦN 4: NAT Gateway Key Facts (Cực quan trọng cho thi)¶
4.1. Deployment Requirements¶
- ✅ Phải deploy trong public subnet (cần public IP)
- ✅ Public subnet phải có IGW + default route
- ✅ Phải có Elastic IP (static public IP)
4.2. Availability & Resilience¶
⚠️ CRITICAL: NAT Gateway chỉ AZ-resilient, KHÔNG regional-resilient!
Single AZ design:
❌ AZ failure → NAT Gateway down → private instances lose Internet
Multi-AZ design (Recommended):
✅ 1 NAT Gateway per AZ
✅ 1 Route table per AZ
✅ Each private subnet routes to NAT in same AZ
4.3. Performance & Scaling¶
- Bandwidth: Up to 45 Gbps per NAT Gateway
- Scaling: Deploy multiple NAT Gateways, split traffic
- Managed: AWS handles all scaling automatically
4.4. Pricing (Exam frequently asks!)¶
💰 NAT Gateway costs 2 components:
1. Hourly charge: ~$0.045/hour (partial hours = full hours)
2. Data processing: ~$0.045/GB processed
Example monthly cost:
- 24/7 running: $32.40/month
- 100GB data: $4.50/month
- Total: ~$37/month per NAT Gateway
PHẦN 5: NAT Gateway Best Practices¶
5.1. High Availability Design¶
🏗️ Multi-AZ NAT Design:
us-east-1a:
- Public subnet: NAT-GW-A
- Private subnet: Route table → NAT-GW-A
us-east-1b:
- Public subnet: NAT-GW-B
- Private subnet: Route table → NAT-GW-B
us-east-1c:
- Public subnet: NAT-GW-C
- Private subnet: Route table → NAT-GW-C
5.2. Cost Optimization¶
💡 Cost saving strategies:
1. Consolidate traffic: Route multiple subnets to 1 NAT Gateway (same AZ)
2. VPC Endpoints: Use for AWS services (S3, DynamoDB) instead of NAT
3. S3 Gateway Endpoint: Free alternative for S3 access
4. Monitor data transfer: Optimize applications to reduce NAT usage
5.3. Security Considerations¶
🔒 NAT Gateway security:
✅ Good:
- Cannot assign Security Groups to NAT Gateway
- Outbound-only by design
- AWS managed, regularly patched
⚠️ Consider:
- All private instances share same public IP
- Need NACLs for additional filtering
- Monitor CloudTrail for NAT Gateway changes
PHẦN 6: Checklist kiến thức thi cert & phỏng vấn¶
Core Concepts¶
- [x] NAT Gateway cho phép outbound-only Internet access
- [x] Phải deploy trong public subnet với Elastic IP
- [x] AZ-resilient, không regional-resilient
- [x] Managed service, scale to 45 Gbps
- [x] 2 cost components: hourly + data processing
Architecture Design¶
- [x] Multi-AZ design: 1 NAT Gateway per AZ
- [x] Route table per AZ pointing to NAT Gateway in same AZ
- [x] Private instances → NAT Gateway → IGW → Internet
- [x] Cannot receive inbound connections from Internet
Câu hỏi exam thường gặp¶
- "Private instances cần software updates, dùng gì?"
- "NAT Gateway deploy ở đâu: public hay private subnet?"
- "1 NAT Gateway có cover được multiple AZ không?"
- "NAT Gateway pricing có những component nào?"
- "Design high availability cho NAT, cần mấy NAT Gateway?"
PHẦN 7: NAT vs VPC Endpoints (Cost optimization)¶
Khi nào dùng NAT vs VPC Endpoints?¶
🎯 Decision matrix:
Use NAT Gateway for:
✅ General Internet access
✅ Software updates
✅ 3rd party APIs
✅ Public services không có VPC Endpoint
Use VPC Endpoints for:
✅ AWS services (S3, DynamoDB, SNS...)
✅ Cost optimization (many are free)
✅ Better security (traffic stays in AWS)
✅ Better performance (no Internet routing)
PHẦN 8: Troubleshooting Common Issues¶
Common Problems & Solutions¶
🐛 "Private instance cannot reach Internet"
Check list:
1. ✅ NAT Gateway in public subnet?
2. ✅ NAT Gateway has Elastic IP?
3. ✅ Public subnet has IGW route?
4. ✅ Private subnet has NAT Gateway route?
5. ✅ Security Groups allow outbound?
6. ✅ NACLs allow traffic?
7. ✅ NAT Gateway in same AZ as private subnet?
PHẦN 9: Tổng kết¶
- NAT Gateway = managed solution cho outbound Internet access
- AZ-resilient, cần multi-AZ design cho HA
- Cost: hourly + data processing
- Deploy trong public subnet, cần Elastic IP
- Cannot receive inbound connections
- Combine với VPC Endpoints để optimize cost
Tiếp theo: Demo implement NAT Gateway trong Animals4Life VPC!
Ghi nhớ: NAT Gateway là component thiết yếu cho mọi production VPC có private subnets. Hiểu rõ multi-AZ design và cost implications!