How can I tell how my NAT gateway is being used and what's behind it?

Question

OK.. I inherited a 2 year old configuration. The original creator of a NAT gateway (in US west 1 region) is no longer with the organization. Nobody at the organization can tell me what it is about. We have no other workloads running in this region, so it is a mystery to me why the gateway was even created, and what it might be doing. I am not a hands-on DevOps expert, but understand enough tech to poke around with some guidance. Where do I start? I want to make sure I understand if there is a reason ( a real use case) for this NAT gateway to exist.  Thanks for any pointers...  Rajiv

Answer

You could also take a look at the [CloudWatch metrics](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway-cloudwatch.html) that the NAT gateway is sending to see if it is active.

Answer

See this blog which walks you through on how to use VPC flow-logs with additional Meta-Data:

https://aws.amazon.com/blogs/aws/learn-from-your-vpc-flow-logs-with-additional-meta-data/

When you create a new VPC Flow Log, in addition to existing fields, you can now choose to add the following meta-data:

`pkt-srcaddr` : the packet-level IP address of the source. **You typically use this field in conjunction with `srcaddr` to distinguish between the IP address of an intermediate layer through which traffic flows**, **such as a NAT gateway**.

`pkt-dstaddr` : the packet-level destination IP address, similar to the previous one, but for destination IP addresses.

Answer

NAT GW will be in the Public subnet of this VPC. Check the private subnet in that VPC, then check the routes and find out if the internet access (usually 0.0.0.0/0)is pointed to NAT-abc. If the route is present then the instances in the private subnet is using this NAT to communicate outside.

How can I tell how my NAT gateway is being used and what's behind it?

Relevant content