Configuring appropriate NAT gateway types for a network (for example, a single shared NAT gateway compared with NAT gateways for each Availability Zone)

Task Statement 4.4: Design cost-optimized network architectures.

📘AWS Certified Solutions Architect – (SAA-C03)

In AWS, designing cost-optimized network architectures often includes choosing the right type and placement of NAT Gateways. This is an important exam topic because AWS expects you to understand cost vs availability trade-offs when designing internet access for private subnets.

1. What is a NAT Gateway?

A NAT Gateway (Network Address Translation Gateway) is a managed AWS service that allows:

  • Instances in a private subnet to access the internet (outbound only)
  • But prevents incoming internet traffic from reaching them

Key point:

  • Private instances can “go out” (e.g., download updates, call APIs)
  • But the internet cannot “come in” directly

2. Why NAT Gateway is used in AWS

In a typical VPC design:

  • Public subnet
    • Has internet access via Internet Gateway (IGW)
    • Hosts load balancers, bastion hosts, etc.
  • Private subnet
    • No direct internet access
    • Used for application servers, databases, backend services

But private instances still need:

  • OS updates (yum/apt)
  • Access to external APIs
  • Download packages from repositories

👉 NAT Gateway solves this requirement securely.

3. NAT Gateway Types in Multi-AZ Architecture

When designing NAT in AWS, you must decide:

Option A: Single Shared NAT Gateway (Cost Optimized)

Architecture:

  • One NAT Gateway deployed in one Availability Zone (AZ)
  • All private subnets (in all AZs) route traffic through it

How it works:

  • Private subnet in AZ-A → NAT Gateway in AZ-A
  • Private subnet in AZ-B → traffic crosses AZ to NAT Gateway in AZ-A

Advantages:

  • Lowest cost option
  • Only one NAT Gateway hourly charge + data processing fees
  • Simple to manage

Disadvantages:

  • Cross-AZ data transfer costs
  • Single point of failure (if NAT AZ fails, outbound internet breaks)
  • Slightly higher latency due to cross-AZ routing

When to use:

  • Development or test environments
  • Cost-sensitive workloads
  • Non-critical systems where high availability is not required

Option B: NAT Gateway per Availability Zone (Highly Available Design)

Architecture:

  • Each AZ has its own NAT Gateway
  • Each private subnet routes traffic to NAT in the same AZ

Example:

  • Private Subnet in AZ-A → NAT Gateway in AZ-A
  • Private Subnet in AZ-B → NAT Gateway in AZ-B

Advantages:

  • High availability (HA)
  • No dependency on another AZ
  • No cross-AZ data transfer costs
  • Better performance (lower latency)

Disadvantages:

  • Higher cost (multiple NAT Gateways)
  • Each NAT Gateway is billed separately

When to use:

  • Production systems
  • Mission-critical applications
  • Highly available architectures (3-tier apps, microservices)

4. Key Exam Comparison (Very Important)

FeatureSingle NAT GatewayNAT Gateway per AZ
CostLowestHigher
AvailabilityLow (single point of failure)High (fault tolerant)
Cross-AZ trafficYesNo
PerformanceLowerBetter
Best forDev/TestProduction

5. Important Exam Concepts

5.1 NAT Gateway is AZ-specific

  • A NAT Gateway is created in one Availability Zone only
  • It cannot span multiple AZs

👉 This is why multi-AZ design requires multiple NAT Gateways for HA.

5.2 Route Table Behavior

Private subnet route table:

0.0.0.0/0 → NAT Gateway
  • This default route sends internet-bound traffic to NAT
  • You choose which NAT Gateway based on AZ design

5.3 Failure Scenarios

Single NAT Gateway:

  • If AZ where NAT exists fails → all private subnets lose internet access

Multi NAT Gateway:

  • If one AZ fails → only that AZ is affected
  • Other AZs continue working normally

5.4 Cross-AZ Data Transfer Cost (Exam Favorite)

If using a single NAT Gateway in one AZ:

  • Traffic from other AZs must cross AZ boundaries
  • AWS charges data transfer between AZs

👉 This can reduce cost savings of “single NAT design” in large systems.

6. Cost Optimization Strategy (Exam Focus)

AWS expects you to choose based on:

Use Single NAT Gateway when:

  • Budget is the top priority
  • Workload is not highly available
  • Traffic volume is low or moderate
  • Temporary environments (dev/test)

Use NAT per AZ when:

  • High availability is required
  • Production workloads
  • Multi-AZ architectures (recommended best practice)
  • High traffic workloads where cross-AZ cost may increase

7. Common Exam Scenarios

Scenario 1:

“A company wants the cheapest internet access for private subnets in a VPC.”

✔ Answer: Single NAT Gateway

Scenario 2:

“A production application runs across multiple AZs and requires high availability.”

✔ Answer: NAT Gateway per AZ

Scenario 3:

“Minimize cross-AZ traffic and ensure fault tolerance.”

✔ Answer: Multiple NAT Gateways (one per AZ)

8. Key Takeaways for Exam

  • NAT Gateway enables outbound internet access for private subnets
  • It is always deployed in a single AZ
  • Two design options:
    • Single NAT Gateway → cheapest, not highly available
    • Multi-AZ NAT Gateways → more expensive, highly available
  • Route tables determine which NAT Gateway is used
  • Cross-AZ traffic increases cost and latency in single NAT design

9. Final Exam Tip

👉 If the question mentions:

  • “lowest cost” → choose single NAT Gateway
  • “high availability / production / fault tolerant” → choose one NAT per AZ
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by