Planton logoPlanton

Loading...

AWS NAT Gateway

Create a NAT gateway so private subnets can reach the internet (or other private networks) outbound-only. A public NAT gateway lives in a public subnet, is fronted by an Elastic IP, and is the route target a private subnet sends its default route to.

What Gets Created

  • An EC2 NAT gateway in the specified subnet.
  • For a public gateway: the gateway is associated with the referenced Elastic IP allocation(s).
  • For a private gateway: no Elastic IP is attached; AWS assigns private IPs from the subnet.

Prerequisites

  • An existing AwsSubnet (or a literal subnet-id) to place the gateway in. For a public gateway this must be a public subnet (routing to an internet gateway).
  • For a public gateway, an AwsElasticIp (or a literal eipalloc- id) for the stable outbound address.

Quick Start

apiVersion: aws.planton.dev/v1
kind: AwsNatGateway
metadata:
  name: main-nat
spec:
  region: us-west-2
  connectivityType: public
  subnetId:
    valueFrom:
      kind: AwsSubnet
      name: public-usw2a
      fieldPath: status.outputs.subnet_id
  allocationId:
    valueFrom:
      kind: AwsElasticIp
      name: nat-eip
      fieldPath: status.outputs.allocation_id

Giving a Private Subnet Egress

A NAT gateway only provides egress once a subnet routes to it. Pair this gateway with an AwsSubnet whose default route targets it:

apiVersion: aws.planton.dev/v1
kind: AwsSubnet
metadata:
  name: private-usw2a
spec:
  region: us-west-2
  vpcId:
    value: vpc-0abc123
  availabilityZone: us-west-2a
  cidrBlock: 10.0.10.0/24
  routes:
    - destinationCidrBlock: 0.0.0.0/0
      targetType: nat_gateway
      targetId:
        value: nat-0abc123

Configuration Reference

Required

FieldDescription
regionAWS region (must match the subnet's region).
connectivityTypepublic (Elastic IP, internet egress) or private (no Elastic IP).
subnetIdThe subnet to place the gateway in. Literal id or a reference to an AwsSubnet.

Public-gateway

FieldDescription
allocationIdElastic IP allocation (required for public). Literal eipalloc- id or a reference to an AwsElasticIp.
secondaryAllocationIdsAdditional Elastic IPs for very high-throughput egress.

Private-gateway

FieldDescription
privateIpThe private IPv4 address to assign (optional; AWS chooses if omitted).
secondaryPrivateIpAddresses / secondaryPrivateIpAddressCountAdditional private IPs (mutually exclusive).

Stack Outputs

OutputDescription
nat_gateway_idThe gateway's id — use this as a subnet route's targetId.
public_ipThe public IPv4 address of a public gateway (empty for private).
private_ipThe gateway's private IPv4 address within its subnet.
network_interface_idThe gateway's elastic network interface id.
subnet_idThe subnet the gateway lives in.
regionThe region the gateway was created in.

Related Components

  • AwsSubnet — both the placement of the gateway and the private subnets that route to it.
  • AwsElasticIp — the stable outbound address for a public gateway.
  • AwsInternetGateway — the internet path the public subnet (and thus the NAT gateway) routes through.

Next article

AWS Neptune Cluster

AWS Neptune Cluster Deploys an Amazon Neptune graph database cluster with automatic subnet group creation, managed security group configuration, configurable cluster instances, optional Serverless v2 scaling, and optional parameter group customization. The component provisions both the cluster and its instances in a single resource definition. Neptune supports property-graph queries via Apache TinkerPop Gremlin and RDF queries via SPARQL. What Gets Created When you deploy an AwsNeptuneCluster...
Read next article
Presets
2 ready-to-deploy configurationsView presets →