How do I migrate from a NAT instance to a NAT gateway?

Last updated: 2017-09-06

I need to migrate from a NAT instance to a NAT gateway, and I want to be sure that the migration is done with minimal downtime.

Short description

When creating a migration plan, consider the following: 
  • Do you plan to use the same Elastic IP address for the NAT gateway as currently used by the NAT instance? A new Elastic IP address might not be recognized by external clients.
  • Is your NAT instance performing other functions, such as port forwarding, custom scripts, providing VPN services, or acting as bastion host? A NAT gateway enables instances in a private subnet to connect to the Internet or other AWS services, but it prevents the Internet from initiating connections with those instances. It cannot be used for any other functions.
  • Have you configured your NAT instance security groups and your NAT gateway NACLs appropriately? You can use security groups on the NAT instance and NACLs on the NAT instance subnet to control traffic to and from the NAT instance subnet; however, you can only use a network ACL to control the traffic to and from the subnet in which the NAT gateway is located.
  • Do your current NAT instances provide high availability across Availability Zones? If so, you might want to create a Multi-AZ architecture. You can do this by creating a NAT gateway in each Availability Zone and configuring your private subnet route-tables in a specific Availability Zone to use the NAT gateway from the same Availability Zone, if you want to avoid charges for inter-AZ traffic.
  • Do you have tasks running through the NAT instance? When the routing is changed from the NAT instance, existing connections are dropped, and the connections must be reestablished.
  • Does your architecture support testing the instance migrations individually? If so, migrate one NAT instance to a NAT gateway and check the connectivity before migrating other instances.
  • Do you allow incoming traffic from ports 1024 - 65535 on the NAT instance's NACL? If not, you need to allow traffic from these ports, because a NAT gateway uses these as source ports. For details, see VPC with public and private subnets (NAT).


  1. Disassociate the Elastic IP address from the existing NAT instance.
  2. Create a NAT gateway with the released Elastic IP address or a new Elastic IP address in the public subnet for the NAT instance you want to replace.
  3. Review the route tables that refer to the NAT instance or the elastic network interface of the NAT instance, and then edit the route to point to the newly created NAT gateway instead.
    Note: Repeat this process for every NAT instance and subnet that you want to migrate.
  4. Access one of the Amazon EC2 instances in the private subnet and verify connectivity to the Internet. 

After you have successfully migrated to the NAT gateway and have verified connectivity, you can terminate the NAT instances.