Amazon's Virtual Private Cloud has long made it possible to partition a hunk of AWS with a private network of its own, complete with a VPN connection for secure access.
But setting up a VPN to access the Internet is drudgery, since connections to and from VPC have to be mapped with network address translation (NAT) using a manually created cluster of EC2 instances that serve as a gateway.
Earlier this week, Amazon did away with some of that headache by providing a new Managed NAT Gateway for AWS to automatically create NAT gateways for AWS VPNs without having to do anything more than click through a wizard.
The gateways created can handle up to 10Gbps of "bursty" (not sustained) TCP, UDP, and ICMP traffic, and automatically scale and provide high availability. Newly created Virtual Private Cloud instances will also give the user an opportunity to create a NAT Gateway and automatically configure the gateway to match the VPC's routing tables. Traffic flowing through the VPN can be logged and observed by Amazon's CloudWatch service to generate activity graphs.
As with any new Amazon AWS technology, its cross-integration with the rest of Amazon is limited. It's only possible to associate one elastic IP address with a given NAT gateway; it can't be reassigned. While you can use network ACLs to control traffic to and from the subnet where the NAT gateway is, you can't associate a security group with the gateway itself.
Finally, since NAT Gateways are technically machines unto themselves, they aren't free. They cost 4.5 cents per gateway, per hour plus any data processing and transfer charges incurred.