If there is 1 NAT per availability zone, and each NAT is to live within a public subnet, does this mean that the number of public subnets that I need to create is at a minimum equals to the number of availability zones? Lets say there are 5 availability zones. I was thinking of having 1 public subnet, and the other 4 are private. But, it sounds like if the availability zone with public SN and NAT is to go down, I need more NATs and public SNs?
2 Answers
Yes, I think that’s correct.
NAT Gateways only provide redundancy within the AZ, and not across AZs. Usually, the amount of public subnets = to the number of AZs in use with routes from the private subnet to the NAT Gateways within the same AZ.
This protects you from private subnets in AZ A losing internet access when AZ B goes down.
AWS best practices state to setup a NAT gateway per AZ. Of course, that means AZ’s where you have subnets. That does not mean you need to have the same number of public and private subnets in a VPC or in an AZ. You can have 1 public subnet in an AZ, put one NAT gateway in that public subnet. You can then attach that single NAT gateway to one or more private subnets in the same AZ as the public subnet where you setup the NAT gateway. These are best practices. If for some reason you have 1 public subnet and more than one private subnet in a VPC, you can setup one NAT gateway and attach all private subnets to that one NAT gateway.