AWS: Share "NAT Gateway" among VPCs

1
votes

I have one VPC where i configured NAT Gateway. Another VPC(s) do not have any "public subnet" nor IGW. I would like to share single NAT Gateway among many VPCs. I tried to configure Routing table but it does not allow to specify NAT Gateway from different VPC. As posible solution, I installed http/s proxy in VPC with IGW and configured proxy settings on every instance in different VPC. It worked, but I would like use NAT Gateway due to easier management. Is it possible to make this kind of configuration at AWS? There are few VPCs and I do not want to add NAT Gateway to each VPC.

Zdenko

2
amazon-web-servicesamazon-vpc

2 Answers

7
votes

You can't share a NAT Gateway among multiple VPCs.

To access a resource in another VPC without crossing over the Internet and back requires VPC peering or another type of VPC-to-VPC VPN, and these arrangements do not allow transit traffic, for very good reasons. Hence:

You cannot route traffic to a NAT gateway through a VPC peering connection, a VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html#nat-gateway-other-services

The instances in the originating VPC are, by definition, "on the other side of" one of the listed interconnection arrangements.

0
votes

AWS Transit Gateway now provides an option to do what you wish, although you will want to consider the costs involved -- there are hourly and data charges. There is a reference architecture published in which multiple VPCs share a NAT gateway without allowing traffic between the VPCs:

https://aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-exit-point-from-multiple-vpcs-using-aws-transit-gateway/