AWS::EC2::NatGateway - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::EC2::NatGateway

Specifies a network address translation (NAT) gateway in the specified subnet. You can create either a public NAT gateway or a private NAT gateway. The default is a public NAT gateway. If you create a public NAT gateway, you must specify an elastic IP address.

With a NAT gateway, instances in a private subnet can connect to the internet, other Amazon services, or an on-premises network using the IP address of the NAT gateway. For more information, see NAT gateways in the Amazon VPC User Guide.

If you add a default route (AWS::EC2::Route resource) that points to a NAT gateway, specify the NAT gateway ID for the route's NatGatewayId property.

Important

When you associate an Elastic IP address or secondary Elastic IP address with a public NAT gateway, the network border group of the Elastic IP address must match the network border group of the Availability Zone (AZ) that the public NAT gateway is in. Otherwise, the NAT gateway fails to launch. You can see the network border group for the AZ by viewing the details of the subnet. Similarly, you can view the network border group for the Elastic IP address by viewing its details. For more information, see Allocate an Elastic IP address in the Amazon VPC User Guide.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::EC2::NatGateway", "Properties" : { "AllocationId" : String, "ConnectivityType" : String, "MaxDrainDurationSeconds" : Integer, "PrivateIpAddress" : String, "SecondaryAllocationIds" : [ String, ... ], "SecondaryPrivateIpAddressCount" : Integer, "SecondaryPrivateIpAddresses" : [ String, ... ], "SubnetId" : String, "Tags" : [ Tag, ... ] } }

YAML

Type: AWS::EC2::NatGateway Properties: AllocationId: String ConnectivityType: String MaxDrainDurationSeconds: Integer PrivateIpAddress: String SecondaryAllocationIds: - String SecondaryPrivateIpAddressCount: Integer SecondaryPrivateIpAddresses: - String SubnetId: String Tags: - Tag

Properties

AllocationId

[Public NAT gateway only] The allocation ID of the Elastic IP address that's associated with the NAT gateway. This property is required for a public NAT gateway and cannot be specified with a private NAT gateway.

Required: Conditional

Type: String

Update requires: Replacement

ConnectivityType

Indicates whether the NAT gateway supports public or private connectivity. The default is public connectivity.

Required: No

Type: String

Allowed values: private | public

Update requires: Replacement

MaxDrainDurationSeconds

The maximum amount of time to wait (in seconds) before forcibly releasing the IP addresses if connections are still in progress. Default value is 350 seconds.

Required: No

Type: Integer

Minimum: 1

Maximum: 4000

Update requires: No interruption

PrivateIpAddress

The private IPv4 address to assign to the NAT gateway. If you don't provide an address, a private IPv4 address will be automatically assigned.

Required: No

Type: String

Update requires: Replacement

SecondaryAllocationIds

Secondary EIP allocation IDs. For more information, see Create a NAT gateway in the Amazon VPC User Guide.

Required: No

Type: Array of String

Update requires: No interruption

SecondaryPrivateIpAddressCount

[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide.

SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time.

Required: No

Type: Integer

Minimum: 1

Update requires: No interruption

SecondaryPrivateIpAddresses

Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide.

SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time.

Required: No

Type: Array of String

Update requires: No interruption

SubnetId

The ID of the subnet in which the NAT gateway is located.

Required: Yes

Type: String

Update requires: Replacement

Tags

The tags for the NAT gateway.

Required: No

Type: Array of Tag

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the NAT gateway. For example, nat-0a12bc456789de0fg.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

NatGatewayId

The ID of the NAT gateway.

Examples

NAT gateway

The following example creates a public NAT gateway and a route that sends all internet-bound traffic from the private subnet with EC2 instances to the NAT gateway. A public NAT gateway uses an elastic IP address to provide it with a public IP address that doesn't change. Note that the route table for the public subnet with the NAT gateway must also have a route that sends all internet-bound traffic to an internet gateway, so that the NAT gateway can connect to the internet.

JSON

"NATGateway" : { "Type" : "AWS::EC2::NatGateway", "Properties" : { "AllocationId" : { "Fn::GetAtt" : ["NATGatewayEIP", "AllocationId"] }, "SubnetId" : { "Ref" : "PublicSubnet" }, "Tags" : [ {"Key" : "stack", "Value" : "production" } ] } }, "NATGatewayEIP" : { "Type" : "AWS::EC2::EIP", "Properties" : { "Domain" : "vpc" } }, "RouteNATGateway" : { "DependsOn": [ "NATGateway" ], "Type" : "AWS::EC2::Route", "Properties" : { "RouteTableId" : { "Ref" : "PrivateRouteTable" }, "DestinationCidrBlock" : "0.0.0.0/0", "NatGatewayId" : { "Ref" : "NATGateway" } } }

YAML

NATGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NATGatewayEIP.AllocationId SubnetId: !Ref PublicSubnet Tags: - Key: stack Value: production NATGatewayEIP: Type: AWS::EC2::EIP Properties: Domain: vpc RouteNATGateway: DependsOn: NATGateway Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable DestinationCidrBlock: '0.0.0.0/0' NatGatewayId: !Ref NATGateway