This is low-key exciting - you no longer need to attach an internet gateway to your NAT gateway. I'll explain a bit more of why you may want to do this. 🧵…
This came up in a customer conversation multiple years ago when a customer said "we're going to give each developer two VPCs, one with routable space (/28) and one with junk space that can't reach on-prem"
I looked at this kind of sideways, and thought man, that's a lot of extra VPCs plus you can't access AD/auth/databases/shared services or those kinds of things from the playground space, plus the overhead of 2x your VPCs
So over some more thought, and I think beer was involved, I figured out you can add a secondary CIDR range of 100.64/12 to any VPC (we actually had to update the documentation for this), and then you can use that space as a playground.
Then the challenge was you could filter that playground space, but still didn't fix the reachability back on-premises. You may want to watch this little blurb on 'NAT school' from re:Invent 2019:
Essentially the NAT gateway just NATs to your private address. It doesn't turn into a public address until the NAT gateway looks at the route table and forwards it to the internet gateway, which turns it into a public IP like any other boring EC2 packet.
In this case, it meant we could put the NAT gateway in the 'routable' subnet, point the default route in the playground subnet to the NAT gateway, and we'd magically be able to reach on-premises resources using that routable space. It's one-way, but generally works great.
It was actually pretty widely used after that, and made it's way into some blog posts and other presentations, like this one:…
However, this particular customer *really* didn't like opening up internet access. And when we designed NAT gateway we thought all customer would use it as we designed, so we created a check that there is an internet gateway attached to the VPC.
So, customers have been widely doing this kind of NAT trick to change their source addresses for a wide variety of things, including IP conservation, changing the address they use to send to their partners, solving some overlapping CIDR ranges and more. But they need an IGW.
And so today, we fixed that. You can create the NAT gateway without the IGW and use it privately. I actually have a sort of crazy deck on the 15 ways you can abuse this feature for good and evil, some (many) of which made their way into customer architectures. An example:
So with this knowledge you can primarily do 3 things:
1) Build NAT architectures without exposing things to the scary internets
2) Pray at the altar of NAT, and get rewarded with the power to build unholy architectures
3) Nerd snipe people who misunderstand NAT gateway
And while I have my deck of crazy TGW architectures, here's the one that shows you how to peer TGWs in the same region. (It's still not an awesome option, but it works, so just make sure you read the bad news box in red.)

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Nick Matthews

Nick Matthews Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @nickpowpow

17 Jan 20
I started my career in tech support (Cisco TAC). This had profound effects for me and I feel like getting on a soapbox on the internet (thread) to share my opinion on the relationship between support, really caring about customers, and people's first jobs.

First, if you want to get into tech or are looking for a first job out of college, I highly recommend tech support. You get a glimpse of the hardest and most important issues to practitioners multiple times a day. It's dog years of experience

Second, support cases and the experience of being in a shitty place, being totally reliant on a person on the phone, completely shapes and defines how organizations make decisions. Support sucks? Overly-promised marketecture deck? That's a recipe for misery.

Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!