Amazon EC2
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. Amazon EC2

      NAT Multiple AZ Not Configured

      This plugin ensures managed NAT instances exist in at least 2 Availability Zones (AZ) for availability purposes

      Risk Level: Low

      Description

      This plugin ensures managed NAT instances exist in at least 2 Availability Zones (AZ) for availability purposes. Creating NAT instances in a single AZ will have a single point of failure for all systems in the VPC. NAT instances should be created in multiple AZs to ensure proper failover.

      About the Service

      Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

      Impact

      With just a single availability zone, your VPC applications can face downtime in case AWS is facing some issues in that region. To ensure smooth functioning of your infrastructure, NAT Gateway subnets must be set up in multiple Availability Zones as it will create instances in another zone when one is facing downtime.  

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
      3. Move to the NAT Gateways in the Virtual Private Cloud section from the left navigation pane.
      4. A list of NAT Gateways in the region will appear. Click on the NAT Gateway you wish to examine.
      5. Click on the radio button next to the VPC ID you wish to examine.
      6. In the Subnet section, click on the Subnet Id.
      7. Click again on the Subnet Id. Find the availability zone
      8. Repeat the steps for other NAT Gateways. If for a single VPC, there are only subnets in a single availability zone, the vulnerability exists.
      9. Repeat steps for all the VPCs you want to investigate.

      Steps for Remediation

      Launch managed NAT instances in multiple AZs:

      1. Log In to your AWS Console.
      2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
      3. Move to the NAT Gateways in the Virtual Private Cloud section from the left navigation pane.
      4. Click on Create NAT Gateway from the top-right corner.
      5. Give the specifications to the Gateway according to the VPC you wish to attach. Select the subnet associated with the VPC you wish to attach but in another Availability Zone. And click on Create NAT Gateway when done the changes.
      6. Repeat steps for all the vulnerable VPCs.