Triage AWS NAT Gateway Usage NATGATEWAY_UNUSED
Quick Links
- Configure AWS NAT Gateway Usage
- Use Case for AWS NAT Gateway Usage
- Triage Guides by Violation Type
NAT Gateway Unused
Understand
This alert indicates that the NAT Gateway has zero outbound data transfer (BytesOutToDestination
). This typically suggests that the gateway is not in use and could potentially be a candidate for decommissioning.
Validate
- Verify the Alert: Check the usage metrics of the NAT Gateway from the AWS CloudWatch console or using the AWS CLI. bash aws cloudwatch get-metric-statistics --namespace AWS/VPC --metric-name BytesOutToDestination --dimensions Name=NatGatewayId,Value=YOUR_NAT_GATEWAY_ID --start-time START_TIME --end-time END_TIME --period 3600 --statistics Average
- Data Source: The data is fetched using
GetMetricStatistics
API call. - Evaluation: This policy runs on a scheduled basis (every 6 hours). Ensure the timing suffices your requirements.
Triage
- Impact: If truly unused, removing the NAT Gateway can save costs. However, if part of an intermittent workflow, deleting might disrupt operations.
- Worsening Factors: Keeping an unused NAT Gateway could lead to recurring costs.
- Remediation Risks: Deleting the NAT Gateway might affect any residual dependency traffic.
Act
- Action: If confirmed unused, you can delete the NAT Gateway using the AWS CLI or the console.
- AWS CLI: bash aws ec2 delete-nat-gateway --nat-gateway-id YOUR_NAT_GATEWAY_ID
Reflect
- Feedback: If the policy alert is not actionable, adjust the monitoring parameters or the observation frequency.
- Disable Policy: If deemed unnecessary, consider disabling the policy.