Overview of NAT Instances in AWS

• Definition: NAT stands for Network Address Translation. NAT instances allow Amazon EC2 instances in private subnets to connect to the Internet or other AWS services while preventing the Internet from initiating connections with those instances.
• Outdated but Exam Relevant: While NAT instances are considered obsolete and replaced mainly by NAT gateways for better efficiency and reliability, they might still appear on AWS certification exams.

How NAT Instances Work

• Location: Must be launched in a public subnet to connect public and private subnets.
• IP Addressing: Requires a fixed Elastic IP attached to it for internet connectivity.
• Source/Destination Check: This setting must be turned off for the NAT instance to function correctly because NAT instances modify the source and destination IP addresses of traffic passing through them.
• Security Groups: Must be correctly configured to allow desired inbound and outbound traffic.

Connectivity Flow

1. An EC2 instance in a private subnet initiates a connection to a public server.
2. The connection request is routed to a NAT instance in a public subnet.
3. The NAT instance, which has an Elastic IP, rewrites the packet's source IP address from the private IP of the EC2 instance to the NAT instance's public IP.
4. The public server responds to the NAT instance's public IP.
5. The NAT instance then forwards the response to the original EC2 instance in the private subnet.

Considerations for NAT Instances

• Amazon Linux AMI: There's a pre-configured Amazon Linux AMI for setting up NAT instances, but it reached the end of standard support on December 31, 2020.
• High Availability and Resilience: NAT instances are not inherently highly available or resilient. Setting up high availability involves creating multiple NAT instances across different availability zones and using auto-scaling groups and user-data scripts.
• Instance Size and Bandwidth: The bandwidth is contingent on the size of the NAT instance. More significant instances provide more bandwidth.
• Security Groups: Must be managed manually, including configuring rules for inbound and outbound traffic.