If you host AWS EC2 instances in a private subnet, you will often need to configure a NAT Instance or NAT Gateway so your EC2 instances can communicate with other Amazon Web Services (e.g. RDS, SQS, SNS, SES) and/or so your EC2 instances download OS and software updates.
NAT Gateway vs NAT Instance
The NAT Gateway is the best option for most production workloads since it is managed by AWS and has built-in fault tolerance (in a single AZ), but can become expensive for high traffic applications. Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. You must deploy (and pay for) multiple NAT Gateways in a region for Multi-AZ redundancy.
The NAT Instance is often a good option for low traffic dev/test environments since small EC2 instances running NAT Instance can cost 10x less than the NAT Gateway managed service.
If you prefer managing your own NAT Instance(s) and need moderate network performance, you could use T3 instances (up to 5 Gbps) or M5 instances (up to 10 Gbps). With the introduction of ARM-based instances, you can also leverage low-cost A1 instances (up to 10 Gbps).
ARM-Based NAT Instance
AWS has not yet published an ARM-based community AMI designed for use as a NAT Instance, but you can launch an existing ARM-based AMI and configure it for use as a NAT Instance. You need to enable packet forwarding at a minimum, and should lookup a guide to harden the OS if you are using the NAT Instance in production.
Follow existing AWS instructions (or this step-by-step guide) to configure your subnets and your NAT Instance. When you follow the guide(s), use the latest Debian arm64 image (currently “debian-stretch-hvm-arm64-gp2-2019-02-19-26259”) AMI for ARM processors instead of using the AWS NAT Instance AMI (or the Ubuntu AMI). Then login to your new Debian-based ARM Instance and run the following commands to enable IP forwarding and setup NAT rules.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j MASQUERADE
' | sudo tee /etc/network/if-pre-up.d/nat-setup
sudo chmod +x /etc/network/if-pre-up.d/nat-setup
The instances on my private subnet were not able to immediately communicate with the internet. I rebooted my new Debian-based NAT Instance and restarted the test instances on my private subnet, then traffic began passing through the NAT Instance just fine.