AWS-EC2-Managed-NAT-Gateway-In-Use

Severity : High

Description: This control ensures that Instances in private VPC uses NAT gateway to connect to outside VPC instead of NAT instances. AWS recommends to migrate to NAT gateway service if NAT AMI is used. NAT gateways provide better availability, higher bandwidth, and requires less administrative effort. If using a NAT instance, Its recommend that replace it with a NAT gateway. A NAT gateway can create in the same subnet as the NAT instance, and then replace the existing route in route table that points to the NAT instance with a route that points to the NAT gateway.

Remediation Steps:

Perform following to configuration NAT gateway :

Login to the AWS Management Console at https://console.aws.amazon.com/.
In navigation pan, go to VPC.
Select NAT Gateways.
Choose Create NAT Gateway. Configure following
1. A name for NAT gateway.
2. Select the subnet in which to create the NAT gateway.
3. For Connectivity type, select Private to create a private NAT gateway or Public to create a public NAT gateway.
4. For Public NAT Gateway Elastic IP allocation ID, select an Elastic IP address to associate with the NAT gateway.
5. Choose Add new tag and enter the key name and value.
6. Choose Create a NAT Gateway.
When NAT gateway status changes to available, configure VPC outbound routes to point to NAT gateway as Target.

Important:

Your NAT instance quota depends on your instance quota for the Region
NAT is not supported for IPv6 traffic.
Traffic cannot route to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect.

Reference:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html