Network Address Translation (NAT) Gateway – Manage & Monitor it

Network-Address-Translation-NAT-Gateway_Cloud-Security

Network Address Translation (NAT) is the gateway which is used to connect instances in your private subnet to the internet or any other AWS service. But prevent vice-versa services. Network Address Translation (NAT) gateway acts as a carrier, it forwards the traffic from instances in private subnet to the internet and then returns its response back to the instance.

Working of Network Address Translation Gateway

  1. While forwarding the traffic from private subnet instance to the internet or other AWS service.
  2. Network Address Gateway (NAT) gateway change their private subnet IPv4 address with its own NAT device address.
  3. NAT keep its address till the end of their communication.
  4. As the communication over its switches back to their IPv4 address.

NOTE: NAT does not support IPv6 traffic.

Rules and limitations of NAT gateway:

  1. NAT support 5Gbps bandwidth and automatically scale this up to 45Gbps. If you require more, you can divide your instances into multiple subnets and create a new NAT gateway in each of them.
  2. NAT gateway supports TCP, UDP and ICMP protocols only.
  3. You cannot assign a security group to the NAT gateway and to your instances in your private subnet to control the traffic of your instances.
  4. Once NAT gateway created you cannot assign exactly one Elastic IP to your NAT gateway and you cannot dissociate Elastic IP from NAT gateway. For different elastic IP address, you must create a new NAT gateway.
  5. You cannot access NAT gateway through a ClassicLink connection associated with your VPC.

How do you monitor a Network Address Translation gateway?

To monitor the Network Address Translation (NAT) gateway, you can use CloudWatch. CloudWatch collects information from the NAT gateway and translates into readable metrics, which receives real-time updates. This data can be used to monitor and troubleshooting the NAT gateway.

Since you are using CloudWatch to monitor metrics of NAT gateway. For a specific period, you can implement a CloudWatch alarm on your NAT gateway metrics. This trigger based on the values of metrics relative to the given threshold.

Why do you need the support of Centilytics?

Centilytics have a dedicated insight for network gateway changes in the security section. It keeps a check to monitor it working. For security purpose, it also reminds if your CloudWatch metric is not configured. Since it is important to manage and optimize traffic of the NAT gateway which is done by CloudWatch metrics, Centilytics drain them down even further for better understanding.

Insight Description:

OK
 Ok: CloudTrail has CloudWatch logs groups configured with metric filter, alarm, SNS topic with at least one subscriber.
Warning
Warning: For your CloudWatch alarms, either no SNS topic is created or no individual is present in the list of topic subscribers to receive the alerts.
Critical
Critical: Delivery to CloudWatch logs not configured.

 

Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Account ID

Account Name: Shows the account name corresponding to the user’s account.

Account Name

Region: This column shows the region of your instance where it has been used.

Region

Identifier: Shows you the service with its trail name.

Identifier

Log Group Name: It represents the name of the group which has permission to use the service.

Log Group Name

Metric Filter Name: Shows you the name that you have given to the metric filter.

Metric Filter Name

Alarm Name: Shows you the name of the alarm which you have assigned.

Alarm Name

SNS Topic Name: SNS refers to the Simple Notification Service group. A group of individuals who receive the alert message.

SNS Topic Name

Custom Severity Description: Shows the severity of your metric filter and its functions’ custom description.

Custom Severity Discription-Virtual Private Network Alarm

Filters Applicable:

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying the region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For e.g., If a user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production).

Hence, the user can view data of all the resources which are tagged as “environment: production”. The user can use the tag value filter only when a tag name has been provided.

Compliance Applying Compliance filter, you can further refine your security and health checks.

 

Stay tuned for our more elaborative takes on cloud security…

LEAVE A REPLY

Please enter your comment!
Please enter your name here