NAT gateway is a gateway device and performs NAT for outbound traffic. Every private subnet needs a NAT gateway to access the internet. In most cases, it is a good idea to have 2 or more NAT gateways in a VPC, diverse across AZs. That gives the maximum redundancy. In some cases, keeping cost to the minimal may be a priority. If you already have multiple VPCs connected through Transit Gateway, we can leverage that and share one NAT gateway with other VPCs.
Let’s dive right in. The follow diagram illustrates how we can share a NAT gateway with multiple VPCs connected by Transit Gateway.
In this example, a dedicated Egress VPC is created for handling outbound traffic. Resources in project VPCs will utilize the NAT gateway in Egress VPC to access the Internet.
Once the VPCs are connected with Transit Gateway and a NAT gateway is deployed in EgressVPC, route tables need to be updated. On EgressVPC, create static routes for the private subnets, route the CIDR for Project VPCs to transit gateway.
On the transit gateway route table, add a default route and send packets to the EgressVPC attachment.
For inbound traffic, an Internet Gateway is still needed for each VPC. IGW are provided at no additional cost, just the traffic is on the meter.
For more information on AWS NAT gateway, please visit AWS documentation. Also, AWS has recently introduced Private NAT Gateway and removes the need to have an Internet Gateway in the VPC.
