Checks whether the elastic IP addresses (EIPs) of each source network address translation (SNAT) entry of a NAT gateway are associated with an EIP bandwidth plan or the maximum bandwidth of each EIP is the same. If so, the evaluation result is Compliant.
Scenarios
When multiple EIPs are configured, service connections are allocated to EIPs based on the hash algorithm. Traffic may not be evenly distributed to EIPs because different connections process different traffic. To ensure service continuity, we recommend that you associate EIPs that are configured in the same SNAT entry with the same EIP bandwidth plan.
Risk level
Default risk level: high.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the EIPs of each SNAT entry of NAT Gateway are associated with an EIP bandwidth plan or the maximum bandwidth of each EIP is the same, the evaluation result is Compliant.
- If the EIPs of an SNAT entry of a NAT gateway are not associated with an EIP bandwidth plan or the EIPs have different maximum bandwidths, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
- This rule does not apply to Virtual Private Cloud (VPC) NAT gateways.
Rule details
| Item | Description |
|---|---|
| Rule name | natgateway-snat-eip-bandwidth-check |
| Rule identifier | natgateway-snat-eip-bandwidth-check |
| Tag | NAT and NatGateway |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | NAT gateways |
| Input parameter | None |
Incompliance remediation
Associate the EIPs of an SNAT of a NAT gateway with an EIP bandwidth plan or specify the same maximum bandwidth for the EIPs of an SNAT of a NAT gateway. For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.