Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How can I use CloudWatch metrics to identify NAT gateway bandwidth issues?

4 minute read

My NAT gateway isn't receiving the bandwidth that I expect. I want to use Amazon CloudWatch metrics to identify bandwidth issues.

Resolution

Benchmark the networking throughput

Complete the following steps:

Set up a test environment to benchmark your network throughput between Amazon Elastic Compute Cloud (Amazon EC2) Linux instances in the same Amazon Virtual Private Cloud (Amazon VPC).
Benchmark the traffic that an instance can manage.
Repeat the preceding steps for the different instance types that are running behind the NAT gateway. To identify the instance types, see the Check the instances behind the NAT gateway section of this article.

Check the CloudWatch metrics for issues with throughput or NAT gateway bandwidth

Complete the following steps:

Open the CloudWatch console.
In the navigation pane, choose Metrics.
Select the NAT gateway and then check whether there's a value that's greater than zero for the PacketsDropCount metric.
Select the NAT gateway, and then check whether there's a value that's greater than zero for the ErrorPortAllocation metric.
Select BytesOutToDestination, BytesOutToSource, BytesInFromDestination, and BytesInFromSource.
Choose PeakPacketsPerSecond.
Note: Check the maximum statistic to determine the average packet rate every 10 seconds for 60 seconds.

A healthy NAT gateway always has a value of zero. If the value is greater than zero, then there's an ongoing transient issue with the NAT gateway. Check the AWS Health Dashboard for notifications that are related to the NAT Gateway. If there are no notifications, then open a case with AWS Support.

To calculate the average bandwidth over a 1-minute interval, use one of the following formulas. The following formulas give the average bandwidth over a period of time but not the real per-second view of bandwidth. Depending on your usage patterns, the per-second bandwidth might have spikes and troughs. Your NAT gateway scales according to fluctuations in your traffic.

[( BytesOutToDestination + BytesOutToSource) * 8 / Time period in seconds].

[( BytesInFromDestination + BytesInFromSource) * 8 / Time period in seconds]

Note: For bandwidth bursts that exceed 100 Gbps, distribute the resources across multiple subnets and create multiple NAT gateways. For optimal performance, create your instances across private subnets in the same Availability Zone as your NAT gateway.

Check the instances behind the NAT gateway

Complete the following steps:

Open the Amazon VPC console.
In the navigation pane, under Route tables, select the route tables that point to the NAT gateway.
Select the Subnet association view, and note all the subnet IDs.
Open the Amazon EC2 console.
In the navigation pane, under Instances, choose the Settings icon to view the Show and Hide columns.
Select Subnet ID and Instance type.
Identify the IDs of all the instances that are running in the associated subnets.

Check the CloudWatch metrics for all Amazon EC2 instances behind the NAT gateway

Complete the following steps:

Open the Amazon CloudWatch console.
In the navigation pane, under Metrics, choose EC2.
Select the IDs of all the instances behind the NAT gateway.
Under the Metric name column, select the NetworkIn, NetworkOut, and CPUUtilization metrics for all instances that were affected during the time you experienced bandwidth issues.
Note: For instructions on how to check traffic usage, see Get statistics for a specific resource.
Confirm that there are no CPU spikes or unusual increases in traffic at the same time as the bandwidth issue.
Activate VPC Flow Logs at the subnet level to review traffic that passes through the NAT gateway.

Compare the results

Check if the sum of networking throughput metrics across all instances behind the NAT gateway exceeds 100 Gbps in bursts. When the burst exceeds 100 Gbps, your NAT gateway has a bandwidth that's greater than the 100 Gbps quota. In this case, it's a best practice to distribute your traffic across multiple NAT gateways.

Related information

How do I set up a NAT gateway for a private subnet in Amazon VPC?

NAT gateways

Why can't my Amazon EC2 instance in a private subnet connect to the internet using a NAT gateway?

Compare NAT gateways and NAT instances

Topics

Management & Governance Networking & Content Delivery

Relevant content

How to enable internet for EC2 using NAT Gateway?
Accepted Answer
AWS-User-3348559
asked a year ago
Slow internet connection when using NAT Gateway
Luca
asked 4 months ago
Instances within the private subnet are unable to access the internet using NAT gateway.
Accepted Answer
Bhanuprakash
asked 6 months ago
Inbound traffic to NAT Gateway from AWS
Bianca
asked 2 years ago
VPC NetworkOUT metric on Cloudwatch
Mauro-rePost-User-1736282
asked 2 years ago
How do I troubleshoot connectivity issues when I use a NAT gateway on my private Amazon VPC?
AWS OFFICIALUpdated 3 months ago
How do I use Amazon CloudWatch Metrics Insights to identify the most used APIs?
AWS OFFICIALUpdated a year ago
How do I resolve the "ErrorPortAllocation" error on my NAT gateway in Amazon VPC?
AWS OFFICIALUpdated 2 years ago
How do I find the top contributors to NAT gateway traffic in my Amazon VPC?
AWS OFFICIALUpdated 8 months ago
How do I find IP addresses of SMTP Clients behind a NAT gateway?
EXPERT
Jonathan_D
published 2 years ago