How NAT Gateways work

The Mechanics Behind Secure Outbound Traffic

Network Address Translation (NAT) is a cornerstone of modern networking, enabling secure communication between private networks and the public internet. NAT gateways, particularly in cloud environments, have become a critical service for managing outbound traffic from private resources. In this article, we’ll take a detailed look at how NAT gateways operate, explore their components, and provide examples to illustrate their functionality.

The Basics of NAT Gateways

At its core, a NAT gateway acts as a middleman that facilitates communication between private subnets in a Virtual Private Cloud (VPC) and external networks, such as the internet. It does this by translating private IP addresses into public IP addresses, and vice versa. This translation ensures that private resources can send and receive traffic without exposing their private IP addresses to the public internet.

Check out our article here on how to Reduce NAT Gateway costs and the alternatives.

Understanding RFC 1918 and Private IP Addressing

To understand NAT gateways fully, it’s important to know about RFC 1918 and the concept of private IP addresses.

What Is RFC 1918?

RFC 1918 is a technical standard defined by the Internet Engineering Task Force (IETF) that specifies ranges of IP addresses to be used exclusively for private networks. These addresses are not routable on the public internet, meaning devices using these IPs cannot directly communicate with public-facing networks without translation (e.g., via a NAT gateway).

The RFC 1918 private IP ranges are:

  • 10.0.0.0/8: Includes addresses from 10.0.0.0 to 10.255.255.255 (ideal for large networks).
  • 172.16.0.0/12: Includes addresses from 172.16.0.0 to 172.31.255.255 (commonly used in medium-sized networks).
  • 192.168.0.0/16: Includes addresses from 192.168.0.0 to 192.168.255.255 (popular for home and small business networks).

These private address spaces allow organizations to create internal networks without conflicting with public IP addresses. However, because they are not routable on the internet, a mechanism like NAT is required to enable communication with external networks.

Reserved Nature of RFC 1918 Addresses

RFC 1918 addresses are reserved explicitly for internal use, ensuring that no two organizations using private IPs will conflict with each other on a global scale. This reservation also means that these addresses cannot be used or assigned on the public internet.

Public IPv4 Address Exhaustion

The pool of public IPv4 addresses is finite, consisting of approximately 4.3 billion unique IPs. Over the years, this space has been depleted due to the rapid growth of internet-connected devices. IPv4 exhaustion led to the introduction of IPv6, but IPv4 is still widely in use. This scarcity has made public IPv4 addresses valuable, with costs increasing for acquiring them. NAT gateways play a crucial role in addressing this limitation by allowing organizations to use a single public IP to represent many private resources, conserving public IP addresses and enabling efficient use of the limited space.

Routable vs. Non-Routable IP Addresses

  • Private (Non-Routable) IP Addresses: These are used within private networks and cannot be accessed directly from the public internet. Examples include 10.0.0.5 and 192.168.1.1.
  • Public (Routable) IP Addresses: These are globally unique and assigned by Internet Service Providers (ISPs) to devices that need to be reachable on the internet. Examples include 203.0.113.1 and 198.51.100.5.

NAT bridges the gap between these two types of addresses, enabling private resources to communicate with the internet while preserving their private IP structure internally.

How NAT Gateways Perform Translation

NAT gateways rely on a process called Source Network Address Translation (SNAT). Here’s how it works step-by-step:

  1. Source IP Address Translation:
    • A resource in a private subnet (e.g., a virtual machine with IP 10.0.1.5) initiates an outbound request, such as downloading updates or calling an API.
    • The request reaches the NAT gateway, which replaces the source private IP (10.0.1.5) with a public IP address (e.g., 203.0.113.1). This public IP is assigned to the NAT gateway.
  2. Port Mapping:
    • To handle multiple connections from different resources, the NAT gateway assigns a unique source port to each connection. For example, the request from 10.0.1.5:5000 might be translated to 203.0.113.1:45000.
  3. Outbound Traffic:
    • The NAT gateway forwards the request to the destination server (e.g., example.com). From the server’s perspective, the request appears to originate from the public IP of the NAT gateway (203.0.113.1).
  4. Inbound Response Handling:
    • When the destination server responds, it sends the data back to the NAT gateway’s public IP and the assigned port (e.g., 203.0.113.1:45000).
    • The NAT gateway uses its mapping table to identify the original private IP (10.0.1.5) and port (5000) and forwards the response to the appropriate resource.

This process ensures seamless communication while maintaining the privacy of the internal network.

Routing and VPC/VNet Route Tables

NAT gateways rely on proper routing configurations within the VPC or VNet. Route tables are essential for directing traffic from private subnets to the NAT gateway. These route tables include a default route (often 0.0.0.0/0) that points to the NAT gateway’s resource ID or IP address. This ensures that any traffic destined for external networks is forwarded to the NAT gateway for translation.

Example Configuration:

  • Route Table: A route entry like 0.0.0.0/0 points to the NAT gateway.
  • Private Subnet: Instances in this subnet use the route table, directing all outbound traffic through the NAT gateway.

This routing setup ensures that private resources can communicate with external networks seamlessly while maintaining security.

An Example of NAT Gateway Operation with DNS Resolution

Let’s break down a detailed example of how a virtual machine connects to api.example.com:

  1. DHCP and DNS Setup: The VM in the private subnet receives its IP address, default gateway, and DNS server information via DHCP. In AWS, the DNS server might be AmazonProvidedDNS at 169.254.169.253. In Azure, it might use Azure’s internal DNS service.
  2. DNS Resolution: The VM sends a DNS query to resolve api.example.com. The DNS server responds with the public IP address of the API server (e.g., 203.0.113.50).
  3. Outbound Request: The VM sends an HTTP request from 10.0.0.10:3000 to 203.0.113.50:443.
  4. Routing: The request is forwarded to the NAT gateway via the route table’s default route.
  5. NAT Translation: The NAT gateway translates the source IP (10.0.0.10) to its public IP (198.51.100.1) and assigns an available port (e.g., 45001).
  6. Response Handling: The API server responds to 198.51.100.1:45001. The NAT gateway maps this back to 10.0.0.10:3000 and forwards the response to the VM.

This combination of DHCP, DNS resolution, routing, and NAT ensures seamless and secure communication between the private VM and the external API server.

Key Components of NAT Gateways

  1. Public IP Addresses: These are the IP addresses assigned to the NAT gateway. They are used for all outbound traffic.
  2. Port Mapping Table: This dynamic table tracks active connections, mapping private IP and port pairs to public IP and port pairs.
  3. High Availability: Most cloud providers design NAT gateways to be fault-tolerant, distributing traffic across multiple availability zones to ensure resilience.

Understanding Port Mapping and Limits

NAT gateways use a combination of public IP addresses and ports to handle multiple connections. Each public IP can support up to 64,000 unique source ports. For environments with high traffic volumes, additional public IPs can be assigned to the NAT gateway to increase capacity.

Example:

If your application generates 100,000 concurrent connections, a single public IP won’t suffice. In this case, you’d need at least two public IPs to handle the load (100,000 / 64,000 = ~1.56, rounded up to 2).

Advantages of NAT Gateways

  • Security: By translating private IPs to public IPs, NAT gateways prevent direct inbound connections, reducing the attack surface.
  • Scalability: Managed NAT gateways automatically scale to handle increasing traffic without user intervention.
  • Simplicity: NAT gateways simplify network management by eliminating the need for manual configuration and maintenance of NAT instances. With minimal setup, you can direct outbound traffic through the NAT gateway, enabling secure communication without complex networking expertise.

Common Use Cases

  1. Accessing External APIs: Private resources can securely interact with third-party APIs, such as payment gateways or external storage services, without needing public IPs.
  2. Software Updates: Virtual machines can download patches and updates from the internet securely and seamlessly.
  3. Data Processing: Applications can send data to external processing services or systems for analytics, storage, or further computation.

Cost Considerations

Using NAT gateways involves two key cost components:

  1. Hourly Usage: A fixed charge for every hour the NAT gateway is active. For example, $0.045 per hour.
  2. Data Processing: A charge based on the volume of outbound traffic. For example, $0.045 per GB.

For instance:

  • 5,000 GB of outbound traffic at $0.045 per GB costs $225.
  • Adding the hourly cost: $0.045/hour x 720 hours (a month) = $32.40.
  • Total Monthly Cost: $257.40.

Another significant consideration is that NAT Gateways cannot be turned off or back on at will - you need to disassociate the NAT Gateway, delete it, then reprovision when needed. Not ideal for Development environments. Check out https://turnitoff.ai to easily schedule cloud resources to be turned off and on when needed.

Understanding these costs and optimizing traffic flow can help minimize expenses.

Final Thoughts

NAT gateways are an essential component of modern cloud networking, enabling private resources to securely communicate with the public internet. By leveraging features like SNAT, port mapping, and route tables, NAT gateways ensure seamless outbound traffic while maintaining internal network security. Whether you’re managing a small application or a high-traffic enterprise network, understanding the mechanics of NAT gateways will help you design efficient and cost-effective cloud architectures.

Insights and Inspiration, Explore Our Blog

Reduce NAT Gateway costs
Important Update for Azure Users: What You Need to Know About Public IPs and NAT Gateways
Understanding AWS Network Firewall
Traffic Flows in the Cloud
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
The Problem with Cloud-Native Firewalls and NAT Gateways
Thank you! Your message has been received!
Oops! Something went wrong. Please fill in the required fields and try again.
© 2024 Synvu Limited. All right Reserved