feat(ec2): regional NAT Gateway

[badmintoncryer]

Issue # (if applicable)

Closes #36198

Reason for this change

AWS NAT Gateway now supports regional availability in 2025 November.

https://aws.amazon.com/about-aws/whats-new/2025/11/aws-nat-gateway-regional-availability/

https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateways-regional.html

Description of changes

• Add NatProvider.regionalGateway() static method to create Regional NAT Gateway providers
  • Implement RegionalNatGatewayProvider class that creates a single NAT gateway covering all AZs with availabilityMode: 'regional'
  • Support configuration options:
    • maxDrainDuration: Maximum wait time before forcibly releasing IP addresses
    • allocationId / eip: Use an existing Elastic IP allocation
    • availabilityZoneAddresses: Manual control over per-AZ EIP allocation
  • Update determineNatGatewayCount() to always return 1 for Regional NAT Gateway regardless of AZ count

Describe any new or updated permissions being added

None

Description of how you validated changes

Add both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[badmintoncryer]

Because RegionalNatGateway.configureNat() doesn't use natSubnets, I made natSubnets optional.

[lpizzinidev]

Cleaner if it doesn't break type declarations and/or requires deprecation.

export interface ConfigureRegionalNatOptions {
  readonly vpc: Vpc;
  readonly privateSubnets: PrivateSubnet[];
}

export interface ConfigureNatOptions extends ConfigureRegionalNatOptions {
  readonly natSubnets: PublicSubnet[];
}

[badmintoncryer]

Default value is described in the docs.

https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-natgateway.html#cfn-ec2-natgateway-maxdraindurationseconds

[badmintoncryer]

The allocationId of the L1 construct can accept not only string but also IEIPRef. I wanted to make L2 similarly accept both of these types.

As implementation approaches, there are two options: (i) define the L2 argument as a union, or (ii) provide separate arguments for string and IEIPRef types. Since I was unsure whether union definitions are allowed in L2 arguments due to any type problem in go language, I adopted approach (ii). I will modify it to implementation (i) if necessary.

(i) union type

redaonly eip?: string | IETPRef;

(ii) separate argument

readonly allocationId?: string;
redaonly eip?: IETPRef;

[lpizzinidev]

1. Union type is against the guidelines.
2. readonly eip?: CfnEIP seems the right type declaration (CfnEIP)

[badmintoncryer]

Due to a recent L1 fix, CfnXxx now extends IXxxRef, and all L2 constructs also extend IXxxRef. While there is currently no L2 construct for EIP, if we use IEipRef as the argument type, it will work seamlessly even when an L2 construct is implemented in the future, without requiring any code changes. For this reason, I believe it would be preferable to use IEipRef as the argument type. What do you think?

[lpizzinidev]

Agree. Thanks for clarifying!

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[lpizzinidev]

@badmintoncryer
Sorry for the late reply.

I'm considering using type casting as a workaround

Doesn't look right. A middle ground solution could be:

• Keep the original interface with readonly natSubnets: PublicSubnet[]; required parameter
• Pass an empty list in createNatGateways for RegionalNatGatewayProvider
• Add another warning in RegionalNatGatewayProvider.configureNat if for some reason natSubnets is non-empty and ignore the value. Note: I would do this even if we decide to make the parameter optional.

That would save some ?? and maintain the current interface. Thoughts?

[lpizzinidev]

Watch out for the build error:

aws-cdk-lib: /codebuild/output/src2783507564/src/actions-runner/_work/aws-cdk/aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/nat.ts
aws-cdk-lib:   18:1  error  Imports "Duration" are only used as type                                  @typescript-eslint/consistent-type-imports
aws-cdk-lib:   19:1  error  All imports in the declaration are only used as types. Use `import type`  @typescript-eslint/consistent-type-imports
aws-cdk-lib: /codebuild/output/src2783507564/src/actions-runner/_work/aws-cdk/aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts
aws-cdk-lib:   33:1  error  Imports "ConfigureNatOptions" are only used as type  @typescript-eslint/consistent-type-imports
aws-cdk-lib: ✖ 3 problems (3 errors, 0 warnings)
aws-cdk-lib:   3 errors and 0 warnings potentially fixable with the `--fix` option.

Seems like a lint issue so should be easy to fix.

[badmintoncryer]

@lpizzinidev Thanks. I've resolved CI failure.

[lpizzinidev]

Ty!

[badmintoncryer]

@lpizzinidev Thanks!!