I need to migrate from a NAT instance to a NAT gateway, and I want the migration done with minimal downtime.
Short description
Before you migrate from a NAT instance to a NAT gateway, review the following configuration details:
Elastic IP addresses
Don't use the same Elastic IP address for the NAT gateway that's already used by the NAT instance. A new Elastic IP address might not be recognized by external clients.
NAT gateway limitations
A NAT gateway can't perform functions such as forward ports, support custom scripts, offer VPN services, or act as a bastion host. Internet connections towards the NAT gateway aren't allowed.
Security groups
Configure your NAT instance security groups and your NAT gateway network access control lists (network ACLs) for migration. Use security groups on the NAT instance and network ACLs on the NAT instance subnet to control traffic to and from the NAT subnet. You can use only a network ACL to control the traffic to and from the subnet where the NAT gateway is located.
Multiple Availability Zones
If your current NAT instances provide high availability across Availability Zones (AZ), then create a Multi-Availability Zone (Multi-AZ) architecture. To create a Multi-AZ architecture, create a NAT gateway in each Availability Zone. Next, configure your private subnet route tables in a specific Availability Zone to use the NAT gateway from the same Availability Zone. Multi-AZ is useful if you want to avoid charges for inter-Availability Zone traffic.
Tasks that run through the NAT instance
If you have tasks that run through the NAT instance, then the existing connections are dropped during migration. After you change the route to the NAT instance, the connections must be reestablished.
Test individual NAT migrations
If your architecture lets you test the instance migrations individually, then migrate one NAT instance to a NAT gateway. After you migrate one instance, check the connectivity before you migrate other instances.
Port requirements
You must allow traffic from ports 1024 - 65535 because the NAT gateway uses these as source ports. For more information, see Example: VPC with servers in private subnets and NAT.
Resolution
-
Disassociate an Elastic IP address from the existing NAT instance.
-
Create a NAT gateway in the public subnet for the NAT instance that you want to replace. You can do this with the disassociated Elastic IP address, or with a new Elastic IP address.
-
Review the route tables that refer to the NAT instance or the elastic network interface of the NAT instance. Then, edit the route to point to the newly created NAT gateway instead.
Note: Repeat this process for every NAT instance and subnet that you want to migrate.
-
Access one of the Amazon Elastic Compute Cloud (Amazon EC2) instances in the private subnet, and then verify connectivity to the internet.
After you migrate to the NAT gateway and you verified connectivity, you can terminate the NAT instances.
Related information
Compare NAT gateways and NAT instances
Migrate from a NAT instance to a NAT gateway
NAT gateways
How do I set up a NAT gateway for a private subnet in Amazon VPC?
Troubleshoot NAT gateways