Skip to main content

Triage AWS NAT Gateway Usage NATGATEWAY_UNUSED

  1. Configure AWS NAT Gateway Usage
  2. Use Case for AWS NAT Gateway Usage
  3. Triage Guides by Violation Type
    1. Triage AWS NAT Gateway Usage NATGATEWAY_NOT_AVAILABLE
    2. Triage AWS NAT Gateway Usage NATGATEWAY_UNUSED

NAT Gateway Unused

Understand

This alert indicates that the NAT Gateway has zero outbound data transfer (BytesOutToDestination). This typically suggests that the gateway is not in use and could potentially be a candidate for decommissioning.

Validate

  1. Verify the Alert: Check the usage metrics of the NAT Gateway from the AWS CloudWatch console or using the AWS CLI. bash aws cloudwatch get-metric-statistics --namespace AWS/VPC --metric-name BytesOutToDestination --dimensions Name=NatGatewayId,Value=YOUR_NAT_GATEWAY_ID --start-time START_TIME --end-time END_TIME --period 3600 --statistics Average
  2. Data Source: The data is fetched using GetMetricStatistics API call.
  3. Evaluation: This policy runs on a scheduled basis (every 6 hours). Ensure the timing suffices your requirements.

Triage

  • Impact: If truly unused, removing the NAT Gateway can save costs. However, if part of an intermittent workflow, deleting might disrupt operations.
  • Worsening Factors: Keeping an unused NAT Gateway could lead to recurring costs.
  • Remediation Risks: Deleting the NAT Gateway might affect any residual dependency traffic.

Act

  1. Action: If confirmed unused, you can delete the NAT Gateway using the AWS CLI or the console.
  2. AWS CLI: bash aws ec2 delete-nat-gateway --nat-gateway-id YOUR_NAT_GATEWAY_ID

Reflect

  • Feedback: If the policy alert is not actionable, adjust the monitoring parameters or the observation frequency.
  • Disable Policy: If deemed unnecessary, consider disabling the policy.