

# Resource gateways in VPC Lattice
<a name="resource-gateway"></a>

A *resource gateway* is the point that receives traffic into the VPC where a resource resides. It spans multiple Availability Zones.

A VPC must have a resource gateway if you plan on making resources inside the VPC accessible from other VPCs or accounts. Every resource you share is associated with a resource gateway. When clients in other VPCs or accounts access a resource in your VPC, the resource sees traffic coming locally from the resource gateway in that VPC. The source IP address of the traffic is the IP address of the resource gateway in an Availability Zone. Multiple resource configurations, each having multiple resources, can be attached to a resource gateway.

The following diagram shows how a client accesses a resource through the resource gateway:

![\[Client accessing resource through the resource gateway.\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/images/resource-gateway-to-resource.png)


**Topics**
+ [Considerations](#resource-gateway-considerations)
+ [Security groups](#resource-gateway-security-groups)
+ [IP address types](#resource-gateway-ip-address-type)
+ [IPv4 addresses per ENI](#ipv4-address-type-per-eni)
+ [Create a resource gateway](create-resource-gateway.md)
+ [Delete a resource gateway](delete-resource-gateway.md)

## Considerations
<a name="resource-gateway-considerations"></a>

The following considerations apply to resource gateways:
+ For your resource to be accessible from all [Availability Zones](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/), you should create your resource gateways to span as many Availability Zones as possible.
+ At least one Availability Zone of the VPC endpoint and the resource gateway have to overlap.
+ A VPC can have a maximum of 100 resource gateways. For more information, see [Quotas for VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/quotas.html).
+ VPC Lattice might add new ENIs to your resource gateway.
+ Resource gateways with shared VPC subnets:
  + A resource gateway can only be deployed into a shared VPC subnet by the account that owns the VPC.
  + A resource configuration for a resource gateway can only be created by the account that owns the resource gateway.

## Security groups
<a name="resource-gateway-security-groups"></a>

You can attach security groups to a resource gateway. Security group rules for resource gateways control outbound traffic from the resource gateway to resources.

** Recommended outbound rules for traffic flowing from a resource gateway to a database resource**

For traffic to flow from a resource gateway to a resource, you must create outbound rules for the resource's accepted listener protocols and port ranges.


| Destination | Protocol | Port range | Comment | 
| --- | --- | --- | --- | 
| CIDR range for resource | TCP | 3306 | Allows traffic from resource gateway to databases. | 

## IP address types
<a name="resource-gateway-ip-address-type"></a>

A resource gateway can have IPv4, IPv6 or dual-stack addresses. The IP address type of a resource gateway must be compatible with the subnets of the resource gateway and the IP address type of the resource, as described here:
+ **IPv4** – Assign IPv4 addresses to your resource gateway network interfaces. This option is supported only if all selected subnets have IPv4 address ranges, and the resource also has an IPv4 address. When you use this option, you can configure the number of IPv4 addresses per resource gateway ENI.
+ **IPv6** – Assign IPv6 addresses to your resource gateway network interfaces. This option is supported only if all selected subnets are IPv6 only subnets, and the resource also has an IPv6 address. When you use this option, IPv6 addresses are assigned automatically and don’t need to be managed. 
+ **Dualstack** – Assign both IPv4 and IPv6 addresses to your resource gateway network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges, and the resource either has an IPv4 or IPv6 address. When you use this option, you can configure the number of IPv4 addresses per resource gateway ENI.

The IP address type of the resource gateway is independent of the IP address type of the client or the VPC endpoint through which the resource is accessed. 

## IPv4 addresses per ENI
<a name="ipv4-address-type-per-eni"></a>

If your resource gateway has an IPv4 or a dual-stack IP address type, you can configure the number of IPv4 addresses assigned to each ENI of your resource gateway. When you create a resource gateway, you choose from 1 to 62 IPv4 addresses. Once you set the number of IPv4 addresses, the value can't be changed.

The IPv4 addresses are used for network address translation and determine the maximum number of concurrent IPv4 connections to a resource. Each IPv4 address can support up to 55,000 simultaneous connections per destination IP. By default, all resource gateways are assigned 16 IPv4 addresses per ENI.

If your resource gateway uses the IPv6 address type, the resource gateway automatically receives a /80 CIDR per ENI. This value can't be changed. The maximum transmission unit (MTU) per connection is 8500 bytes.

# Create a resource gateway in VPC Lattice
<a name="create-resource-gateway"></a>

Use the console to create a resource gateway.

**To create a resource gateway using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **PrivateLink and Lattice**, choose **Resource gateways**.

1. Choose **Create resource gateway**.

1. For **Resource gateway name**, enter a name that is unique within your AWS account.

1. For **IP address type**, choose the IP address type for the resource gateway.

   1. If you selected **IPv4** or **Dualstack** for the **IP address type**, you can enter the number of IPv4 addresses per ENI for your resource gateway.

     The default is 16 IPv4 addresses per ENI. This is a suitable number of IPs to form connections with your backend resources. 

1. For **VPC**, choose the VPC and subnets to create your resource gateway in. 

1. For **Security groups**, choose up to five security groups to control inbound traffic from the VPC to the service network.

1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value.

1. Choose **Create resource gateway**.

**To create a resource gateway using the AWS CLI**  
Use the [create-resource-gateway](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-resource-gateway.html) command.

# Delete a resource gateway in VPC Lattice
<a name="delete-resource-gateway"></a>

Use the console to delete a resource gateway.

**To delete a resource gateway using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **PrivateLink and Lattice**, choose **Resource gateways**.

1. Select the check box for the resource gateway that you want to delete and choose **Actions**, **Delete**. When prompted for confirmation, enter **confirm** and then choose **Delete**.

**To delete a resource gateway using the AWS CLI**  
Use the [delete-resource-gateway](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/delete-resource-gateway.html) command.