How to discover what service is hitting NAT Gateway having only a bunch of IPs as clue?

Keoma Borges

6/28/24, 4:25 AM

The usage of NAT Gateway skyrocketed since last week. I was tasked to find the root cause of this since the AWS bill is considerably high now.

My first action was to ask people. No one is aware about any deployment that could cause this issue.

Then, I enabled the flow logs and used CloudWatch Insights to create a rank of the IPs that are hitting the NAT gateway ordered by the amount of data. There are about 6 IPs which and all of them resolve to CloudFront. I tried to nslookup and traceroute each one of the distributions we have, and also from other accounts we manage, but I could not match any of those IPs. Tried to do the same with the APIs in API Gateway. No lucky too.

What else can I do to find out what is hitting the NAT Gateway? The issue only happens in production, so I can't simply block the IPs. All I have is a bunch of IPs that are no associated to any ENI. I checked the reserved IPs from Amazon and all of them are in the CloudFront CIDR.

0 + 0

amazon-web-services

amazon-vpc

amazon-nat-gateway

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to discover what service is hitting NAT Gateway having only a bunch of IPs as clue?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.