AWS Managed NAT Gateway is a widely-used service that provides seamless internet access for resources within a private VPC subnet. However, its cost structure has been a pain point for many AWS users, with high fees for both hourly usage and data processing. Moreover, the lack of viable alternatives often forces users to choose between cost and functionality. In this blog post, we will discuss a promising open-source alternative called alterNAT and walk you through its technical implementation.

What is alterNAT?

AlterNAT is an open-source solution that aims to reduce AWS NAT Gateway costs by using NAT instances instead of NAT Gateways, eliminating the data processing charges. It is suitable for users who have large amounts of data per month with NAT Gateway and are looking for cost savings without compromising functionality.

Technical Implementation:

Architecture Overview:

AlterNAT uses NAT instance Auto Scaling Groups, one per availability zone, along with a corresponding standby NAT Gateway. Both components are deployed using the Terraform module located in modules/terraform-aws-alternat.

Integrating alterNAT with Existing VPCs:

If you are using the terraform-aws-vpc Terraform module and wish to switch from its NAT Gateway to alterNAT's NAT Gateway, follow these steps.

1. Here's a snippet of an existing VPC Terraform code:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 3.0"

  name                  = local.name
  cidr                  = "10.0.0.0/16"
  secondary_cidr_blocks = ["100.64.0.0/16"]
  azs                   = ["ap-southeast-3a", "ap-southeast-3b"]
  private_subnets       = ["10.0.1.0/24", "10.0.2.0/24", "100.64.0.0/17", "100.64.128.0/17"]
  public_subnets        = ["10.0.4.0/24", "10.0.5.0/24"]
  enable_nat_gateway    = true
  single_nat_gateway    = true
  enable_dns_hostnames  = true


  public_subnet_tags = {
    "kubernetes.io/cluster/${var.eksdata["cluster_name"]}" = "shared"
    "kubernetes.io/role/elb"                               = "1"
  }

  private_subnet_tags = {
    "kubernetes.io/cluster/${var.eksdata["cluster_name"]}" = "shared"
    "kubernetes.io/role/internal-elb"                      = "1"
  }

  tags = {
    GithubRepo = "terraform-aws-eks"
    GithubOrg  = "terraform-aws-modules"
  }
}

1. Modifying the NAT involves changing the route table, and downtime is unavoidable, so plan accordingly.

2. Remove the current NAT Gateway, apply the Terraform code

    enable_nat_gateway    = false
   

3. Add alterNAT after applying the above code.

   Don't forget to include cidr_blocks; otherwise, private subnets will be unable to connect to alterNAT.

    locals {
      vpc_az_maps = [
        for index, rt in module.vpc.private_route_table_ids
        : {
          az                 = data.aws_subnet.subnet[index].availability_zone
          route_table_ids    = [rt]
          public_subnet_id   = module.vpc.public_subnets[index]
          private_subnet_ids = [module.vpc.private_subnets[index]]
        }
      ]
    }
   
    data "aws_subnet" "subnet" {
      count = length(module.vpc.private_subnets)
      id    = module.vpc.private_subnets[count.index]
    }
   
    module "alternat_instances" {
      source = "git::https://github.com/1debit/alternat.git//modules/terraform-aws-alternat?ref=v0.4.2"
      nat_instance_type = "m6g.medium"  
   
      lambda_package_type = "Zip"
   
      vpc_id      = module.vpc.vpc_id
      vpc_az_maps = local.vpc_az_maps
    }
    resource "aws_security_group_rule" "allow_all" {
      type              = "ingress"
      protocol          = "-1"
      from_port         = 0
      to_port           = 0
      cidr_blocks       = ["10.0.0.0/16","100.64.0.0/16"]
      security_group_id = module.alternat_instances.nat_instance_security_group_id
    }
   

4. Chose the right instance type.

   By comparing data processing costs against the instance type for alterNAT, you can identify the optimal instance type while considering its network bandwidth.

Conclusion:

AlterNAT is an excellent alternative for AWS users looking to reduce their NAT Gateway costs without sacrificing functionality. By using NAT instances instead of NAT Gateways, users can save on data processing charges while still maintaining internet access for their resources within a private VPC subnet. However, it's essential to consider the drawbacks and limitations, such as the loss of NAT table state, before implementing alterNAT in your infrastructure.

For more information and a detailed guide on using alterNAT, please refer to the official GitHub repository alterNAT.