Monitor VPC NAT gateways with CloudWatch metrics and alarms

Many VPC designs make use of public and private subnets. You need a NAT gateway to communicate from a private subnet with the Internet.

A VPC NAT gateway is a finite resource that can be exhausted. That’s why you need to add monitoring to be alerted if the NAT gateway gets a bottleneck.

CloudWatch metrics

Each NAT gateway sends metrics to CloudWatch that we can monitor with CloudWatch alarms. We recommend creating alarms for the following metrics:

• ErrorPortAllocation: The number of times the NAT gateway could not allocate a source port.
• PacketsDropCount: The number of packets dropped by the NAT gateway.

Monitoring throughput utilization

Unfortunately, NAT gateways do not report a single metric on the throughput utilization of bandwidth and packets. The maximum bandwidth is 100 Gbit/second and 10,000,000 packets/second. Luckily, we can calculate throughput by using CloudWatch metric math.

To calculate the bandwidth utilization, we use the following metrics:

And the following expressions:

Set up instructions

Monitoring Assistant
CloudWatch metric math sounds complicated? We have you covered! Monitor NAT gateways and receive alerts in Slack or Microsoft Teams!

1. Add marbot to Slack or Microsoft Teams.
2. Invite marbot to a channel.
3. Follow the setup wizard.

It couldn't be easier!

Take your AWS monitoring to a new level! Chatbot for AWS Monitoring: Configure monitoring, escalate alerts, solve incidents.

Michael Wittig

Consultant focusing on Amazon Web Services (AWS). Entrepreneur building marbot.io. Author of Amazon Web Services in Action, Rapid Docker on AWS, and cloudonaut.io.

You can contact me via Email, Twitter, and LinkedIn.

Published on 15 Aug 2022