AWS Security ChangesHomeSearch

AWS vpc documentation change

Service: vpc · 2025-10-13 · Documentation low

File: vpc/latest/userguide/nat-gateway-basics.md

Summary

Updated NAT gateway documentation with changes to IPv4 address assignment details, network interface management clarifications, and updated link references

Security assessment

The changes clarify that NAT gateway network interfaces are immutable except for tagging, which reinforces security through unmodifiable configurations. While this improves documentation of security controls (network ACL usage and interface immutability), there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/vpc/latest/userguide/nat-gateway-basics.md b/vpc/latest/userguide/nat-gateway-basics.md
index 68165bb69..7289718eb 100644
--- a//vpc/latest/userguide/nat-gateway-basics.md
+++ b//vpc/latest/userguide/nat-gateway-basics.md
@@ -7 +7 @@
-Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. There is a quota on the number of NAT gateways that you can create in each Availability Zone. For more information, see [Amazon VPC quotas](./amazon-vpc-limits.html).
+Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. There is a quota on the number of NAT gateways that you can create in each Availability Zone. For more information, see [Gateways](./amazon-vpc-limits.html#vpc-limits-gateways).
@@ -23 +23 @@ The following characteristics and rules apply to NAT gateways:
-  * You can pick the private IPv4 address to assign to the NAT gateway or have it automatically assigned from the IPv4 address range of the subnet. The assigned private IPv4 address persists until you delete the private NAT gateway. You can't detach the private IPv4 address and you can't attach additional private IPv4 addresses.
+  * When you create a NAT gateway, you can select the primary private IPv4 address to assign to the NAT gateway. Otherwise, we select one on your behalf from the the IPv4 address range of the subnet. You can't change or remove the primary private IPv4 address. You can add secondary private IPv4 addresses as needed.
@@ -27 +27 @@ The following characteristics and rules apply to NAT gateways:
-  * You can use a network ACL to control the traffic to and from the subnet for your NAT gateway. NAT gateways use ports 1024–65535. For more information, see [Control subnet traffic with network access control lists](./vpc-network-acls.html).
+  * We create a requester-managed network interface for your NAT gateway. You can view this network interface using the Amazon EC2 console. Search for the ID of the NAT gateway in the description. You can add tags to the network interface, but you can't modify other properties of this network interface.
@@ -29 +29 @@ The following characteristics and rules apply to NAT gateways:
-  * A NAT gateway receives a network interface. You can pick the private IPv4 address to assign to the interface or have it automatically assigned from the IPv4 address range of the subnet. You can view the network interface for the NAT gateway using the Amazon EC2 console. For more information, see [Viewing details about a network interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#view_eni_details). You can't modify the attributes of this network interface.
+  * You can use a network ACL to control the traffic to and from the subnet for your NAT gateway. NAT gateways use ports 1024–65535. For more information, see [Network ACLs](./vpc-network-acls.html).
@@ -41 +41 @@ The following characteristics and rules apply to NAT gateways:
-    * To prevent potential packet loss when communicating with resources over the internet using a public NAT gateway, the MTU setting for your EC2 instances should not exceed 1500 bytes. For more information about checking and setting the MTU on an instance, see [Check and set the MTU on your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#set_mtu) in the _Amazon EC2 User Guide_. 
+    * To prevent potential packet loss when communicating with resources over the internet using a public NAT gateway, the MTU setting for your EC2 instances should not exceed 1500 bytes. For more information about checking and setting the MTU on an instance, see [Network MTU for your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#set_mtu) in the _Amazon EC2 User Guide_.