AWS has just released Regional NAT Gateways. Do we get three for the price of one now? Nope, you pay the same hourly rate once per AZ, plus traffic.
However, RNATs do bring in features worth considering:
- Simpler setup: one NAT Gateway for the whole VPC, not one per AZ.
- Classic NAT Gateways require public subnets for internet access. An RNAT doesn’t, simplifying plumbing and improving the VPC security posture (you can stick to private subnets, avoiding public ones that you don’t need).
- The RNAT expands and contracts across Availability Zones as your workloads change, keeping HA without having to provision new NAT GWs and adapt routing tables.
- Better outbound scaling and port exhaustion protection. TL;DR: if you’re about to run out of ports, RNATs will attach new IPs, up to 32.
If you manage your VPC as code (as you probably should), e.g., by using the Terraform VPC community module by Anton Babenko & co., some of the advantages of using RNATs will be diluted, as “rewiring” the VPC topology becomes painless. In addition, the baseline common infrastructure, like the VPC and its NAT Gateway(s), will rarely change once provisioned (at least in my experience).
In any case, I believe it’s worth it to be aware of the existence of RNATs and at least considering them when architecting your VPCs.