search
Ctrlk
WebsitePlatformPricingSign Up

NAT Gateway Best Practices

The recommendations below are grouped by what you're trying to protect: capacity & cost, the SNAT path, and the DNAT path. A troubleshooting checklist follows.

hashtag
Capacity & Cost

CU billing is driven by the higher of peak concurrent connections and peak CPS in each hour (see Billing). The same two metrics also bound real performance, since each EIP has a finite ephemeral-port range. Optimize for both at once.

  • Size the EIP pool to your peak concurrency. Each EIP supports a bounded number of concurrent connections. Estimate peak concurrency, divide by the per-EIP limit, and bind that many EIPs (with a buffer). Spreading traffic across EIPs expands the available port range proportionally.

  • Watch CPS, not just concurrency. Short-lived connection workloads — batch jobs, scrapers, polling, per-request HTTP clients — usually hit the CPS ceiling first. If CPS is consistently the higher-CU dimension, add EIPs, distribute across multiple gateways, or consolidate via a connection pool.

  • Track which dimension drives the bill. Open the gateway's Performance tab and compare the Concurrent Connections and CPS charts. The dominant one is what you'll pay for and what will tip you into a performance limit.

hashtag
SNAT

  • Route only the subnets that need egress. Database tiers, internal queues, and compliance-scoped subnets shouldn't have a default route to the gateway at all. Use the gateway's subnet selection (instead of all subnets) and keep SNAT entries scoped to matching CIDRs.

  • Verify routes after every change. After creating a gateway or changing its subnet association, open VPC → Route Tablesarrow-up-right, filter by type NAT Gateway, and confirm each covered subnet has a default route to the gateway before shifting live traffic.

  • Avoid overlapping SNAT entries. Source scopes that overlap are rejected. Prefer one well-scoped entry per source range over multiple narrower entries that interleave.

hashtag
DNAT

  • Use non-standard public ports for management access. Map e.g. 2222 → 22 for SSH, 33890 → 3389 for RDP. Automated scanners focus on default ports; moving the public-facing port cuts unsolicited connection attempts with no instance-side change.

  • Pair every DNAT entry with a source-IP filter. DNAT picks which port reaches which private IP but doesn't restrict who can connect. For sensitive endpoints, add a security group rule on the target instance that allows only known source CIDRs.

  • Match the protocol explicitly. Use tcp or udp for port-mapped entries. Reserve any for entries that intentionally forward all protocols to a private IP without a port — don't use it as a "just in case" default for management ports.

  • Delete DNAT entries for decommissioned services. Unused entries keep accepting inbound connection attempts. Audit the DNAT list periodically and remove anything that's no longer in use or has moved behind a load balancer.

hashtag
Troubleshooting

Symptom
What to check

Instances can't reach the internet after creating a SNAT entry

(1) The instance's subnet is associated with the NAT Gateway. (2) The VPC route table shows a NAT Gateway default route for that subnet. (3) A SNAT entry matches the subnet or CIDR and references at least one usable EIP.

SNAT entry creation fails with an overlap error

Another SNAT entry already covers the same source scope. Narrow the new entry or update the existing one — don't create a second overlapping entry.

External clients connect, but the backend never receives the traffic

(1) DNAT entry's internal IP and port are correct and the service is listening. (2) Target instance security group allows inbound on the internal port from the expected sources. (3) Protocol in the DNAT entry matches what the client uses.

Connections succeed but latency is high or throughput is low

Open the Performance tab and compare Concurrent Connections and CPS. If CPS is the higher-CU dimension, add EIPs or split the workload across multiple gateways to relieve per-EIP port pressure.

Gateway stuck in Error state

Check the event log. Most common causes: an EIP referenced by an active entry was released, or a resource conflict at creation time. If recreation doesn't recover it, contact supportenvelope.

PreviousNAT Gateway VPC RoutingNextNAT Gateway Configuration Guide

Last updated