The Amazon Web Services (AWS) cloud platform enables you to create virtual networks called Amazon Virtual Private Cloud (VPC) resources. Once you've created a VPC resource, you can attach a zero-cost Internet Gateway to it, enabling ingress & egress network traffic, across the internet, for any systems with publicly routable IPv4 addresses. However, if you'd like certain systems to have only private, non-publicly-routable IPv4 addresses, you'll need an AWS NAT Gateway to provide egress access to the Internet.
In AWS, NAT Gateways incur costs for your AWS accounts. The cost for these resources ranges from ~$30-60, plus the amount of data processed, depending on which AWS region you deploy them into. As long as NAT Gateways are provisioned in your AWS account, charges will be incurred for them. If you create NAT Gateways for temporary utilization, such as development & test environments, you'll want to ensure you remove these after they're no longer needed. This will help keep your cloud costs under control, and avoid paying for resources you're not actually consuming.
Identify Inactive NAT Gateways
You'll need to start by identifying inactive AWS NAT Gateways in your account, so you can remediate them. You can use Stratusphere, StratusGrid's SaaS tool, to connect your AWS Organizations, and standalone accounts, and then rapidly identify all of the inactive NAT Gateways.
You can also manually identify NAT Gateways using the process below. NAT Gateways emit metrics to the Amazon CloudWatch metrics service. These metrics can be used to identify any NAT Gateways that aren't actively passing any network traffic, for extended periods of time.
- Login to the AWS Management Console
- Navigate to the Amazon CloudWatch console
- Select the AWS region where your NAT Gateway resides
- Select Metrics ➡️ All Metrics
- Select the NATGateway metrics namespace
- Click on the NAT Gateway Metrics option
- Filter to the NAT Gateway ID you're examining
- Enable the ActiveConnectionCount and PeakPacketsPerSecond metrics
- NOTE: Feel free to examine other available metrics as well
- Move the Y axis for one of the metrics to the opposite side of the chart (see screenshot)
- Update the time period for the graph to the Last 7 Days
Now that you've built a graph of the metrics for this NAT Gateway, in the CloudWatch console, see if there is any activity for the period you've selected. In the example screenshot below, you can see that, over a 30-minute window, there has been some significant network activity. This NAT Gateway would therefore not be a good candidate for removal. However, in your case, if you see that there isn't any significant amount of network activity, over an extended time period, the NAT Gateway can most likely safely be removed.
Risks & Other Considerations
Route Table Updates
After you delete an AWS NAT Gateway, there may still be VPC Route Tables that contained routes pointing to the NAT Gateway as their destination. The individual routes in the Route Table, that were pointing to a now-deleted NAT Gateway will have a "blackhole" state.
Resolution: Review all of your Amazon VPC Route Tables and ensure that none of them have routes pointing to a "blackhole."
Amazon Elastic IP Left Behind
After you delete an AWS NAT Gateway resource, the Amazon Elastic IP address associated with it will continue to exist in your AWS account. These cloud resources have a small cost associated with them.
Resolution: You may want to consider removing the Elastic IP address resource, to avoid incurring additional charges in your AWS account.
External IP Address Whitelists
Sometimes external systems — primarily outside your organization — will have configured an IP address whitelist that enables inbound network traffic from your systems hosted in AWS. NAT Gateway resources have a publicly routable Amazon Elastic IP address associated with them, which provides your systems access to route network packets out to the Internet. If you remove (release) an Elastic IP address, after deleting a NAT Gateway, the IPv4 address will be permanently lost.
This may result in connections to external systems breaking, due to existing whitelists that reference this specific IPv4 address. Any systems relying on a specific, publicly-routable IPv4 address should be updated before you make the final decision to delete the Amazon Elastic IP address resource.
Resolution: Check with all of your technical teams to ensure that the IPv4 address for each Amazon Elastic IP is no longer needed by any systems before you release the Elastic IP resource. Alternatively, you can simply choose to retain the Elastic IP address in case it needs to be reattached to another NAT Gateway or EC2 instance.
Remediation
It's easy to remediate inactive AWS NAT Gateways. All you need to do is delete the NAT Gateway, once you've confirmed that it's no longer needed. Any Amazon VPC Route Tables that had previously been pointing to the NAT Gateway may need to be updated as well.
Manual Remediation
In order to remove an AWS NAT Gateway from your AWS account, run through the following steps.
- Login to the AWS Management Console
- Navigate to the AWS VPC console, from the Unified Search box
- Click on Virtual Private Cloud ➡️ NAT Gateways in the left-hand navigation area
- Find the NAT Gateway ID you want to delete
- Right-click the NAT Gateway, select Delete NAT Gateway
- Type "delete" and then confirm
⚠️ IMPORTANT: After deleting the NAT Gateway, keep in mind that any VPC Route Tables that were previously configured to route network traffic through the NAT Gateway will now be routing to a "black hole." You may need to go to these Route Tables and delete or update the individual routes to send network traffic through another device.
Automated Remediation
You can use automation tools like the AWS CLI or AWS PowerShell to find and remove inactive AWS NAT Gateways. You can use the AWS CLI or AWS PowerShell module from AWS CloudShell, or you can install the tools on your local development system.
AWS CLI
The AWS CLI tool has a command to list NAT Gateways and view their details. To list the NAT Gateways in the current AWS region you've selected, you can use this command.
aws ec2 describe-nat-gateways
You can delete a NAT Gateway with a specific ID using the following command.
aws ec2 delete-nat-gateway --nat-gateway-id nat-12345678
AWS PowerShell
If you'd like to use the AWS PowerShell module, from AWS CloudShell, to find and remove VPC NAT Gateways, you can use the following commands.
To find EC2 NAT Gateways, use the Get-EC2NATGateway command.
Get-EC2NATGateway
To remove a NAT Gateway, you can use the Remove-EC2NATGateway command. Of course, you'll need to replace the NAT Gateway ID with your unique ID.
Remove-EC2NatGateway -NatGatewayId nat-0f045c435a793e554 -Force
Conclusion
By identifying inactive NAT Gateways, and removing them, you can reduce your AWS cloud spend on unused resources. While NAT Gateways aren't terribly expensive on an individual basis, they can easily add up to a significant amount of monthly spend. Using Stratusphere to automatically identify all of the inactive NAT Gateways across your entire AWS environment will save you significant time and effort! To get started with Stratusphere, please contact our team!