AWS NAT Instances using ARM A1 Instance Type

If you host AWS EC2 instances in a private subnet, you will often need to configure a NAT Instance or NAT Gateway so your EC2 instances can communicate with other Amazon Web Services (e.g. RDS, SQS, SNS, SES) and/or so your EC2 instances download OS and software updates.

Pricing Comparison

NAT Gateway $0.045/hour + $0.045/GB
Built in Redundancy (single AZ), Network Performance Up to 45 Gbps

NAT Instance (m5.large) $0.096/hour
No Redundancy, Network Performance Up to 10 Gbps

NAT Instance (a1.medium) $0.0255/hour
No Redundancy, Network Performance Up to 10 Gbps

NAT Instance (t3.nano) $0.0052/hour
No Redundancy, Network Performance Up to 5 Gbps

NAT Instance (t2.nano) $0.0058/hour
No Redundancy, Network Performance “Low”

NAT Gateway vs NAT Instance

The NAT Gateway is the best option for most production workloads since it is managed by AWS and has built-in fault tolerance (in a single AZ), but can become expensive for high traffic applications. Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. You must deploy (and pay for) multiple NAT Gateways in a region for Multi-AZ redundancy.

The NAT Instance is often a good option for low traffic dev/test environments since small EC2 instances running NAT Instance can cost 10x less than the NAT Gateway managed service.

If you prefer managing your own NAT Instance(s) and need moderate network performance, you could use T3 instances (up to 5 Gbps) or M5 instances (up to 10 Gbps). With the introduction of ARM-based instances, you can also leverage low-cost A1 instances (up to 10 Gbps).

ARM-Based NAT Instance

AWS has not yet published an ARM-based community AMI designed for use as a NAT Instance, but you can launch an existing ARM-based AMI and configure it for use as a NAT Instance. You need to enable packet forwarding at a minimum, and should lookup a guide to harden the OS if you are using the NAT Instance in production.

Follow existing AWS instructions (or this step-by-step guide) to configure your subnets and your NAT Instance. When you follow the guide(s), use the latest Debian arm64 image (currently “debian-stretch-hvm-arm64-gp2-2019-02-19-26259”) AMI for ARM processors instead of using the AWS NAT Instance AMI (or the Ubuntu AMI). Then login to your new Debian-based ARM Instance and run the following commands to enable IP forwarding and setup NAT rules.

echo '#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j MASQUERADE
' | sudo tee /etc/network/if-pre-up.d/nat-setup
sudo chmod +x /etc/network/if-pre-up.d/nat-setup
sudo /etc/network/if-pre-up.d/nat-setup

The instances on my private subnet were not able to immediately communicate with the internet. I rebooted my new Debian-based NAT Instance and restarted the test instances on my private subnet, then traffic began passing through the NAT Instance just fine.