kubernetes-sigs · moko-poi · Dec 8, 2025
diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/network_types.go b/api/v1beta2/network_types.go
@@ -48,8 +48,16 @@ const (
 	ZoneTypeLocalZone ZoneType = "local-zone"
 	// ZoneTypeWavelengthZone defines the AWS zone type in Wavelength infrastructure.
 	ZoneTypeWavelengthZone ZoneType = "wavelength-zone"
+
+	// NATGatewayAvailabilityModeZonal creates one NAT Gateway per Availability Zone.
+	NATGatewayAvailabilityModeZonal NATGatewayAvailabilityMode = "Zonal"
+	// NATGatewayAvailabilityModeRegional creates a single regional NAT Gateway.
+	NATGatewayAvailabilityModeRegional NATGatewayAvailabilityMode = "Regional"
 )
 
+// NATGatewayAvailabilityMode defines the availability mode for NAT Gateways.
+type NATGatewayAvailabilityMode string
+
 // NetworkStatus encapsulates AWS networking resources.
 type NetworkStatus struct {
 	// SecurityGroups is a map from the role/kind of the security group to its unique name, if any.
@@ -501,6 +509,28 @@ type VPCSpec struct {
 	// +kubebuilder:default=PreferPrivate
 	// +kubebuilder:validation:Enum=PreferPrivate;PreferPublic
 	SubnetSchema *SubnetSchemaType `json:"subnetSchema,omitempty"`
+
+	// NATGatewayAvailabilityMode specifies the availability mode for NAT Gateways in this VPC.
+	// Valid values are "zonal" and "regional".
+	//
+	// Zonal (default): Creates one NAT Gateway per Availability Zone in public subnets.
+	// Each private subnet routes traffic through the NAT Gateway in its own AZ.
+	//
+	// Regional: Creates a single NAT Gateway that automatically expands and contracts across
+	// all Availability Zones based on workload presence. Does not require public subnets.
+	// Provides automatic high availability with simplified setup and enhanced security.
+	//
+	// Regional NAT Gateways support up to 32 IP addresses per AZ (vs 8 for zonal)
+	// and are recommended for new deployments unless private connectivity is required.
+	//
+	// Note: Regional NAT Gateways are available in all commercial AWS Regions except
+	// AWS GovCloud (US) and China Regions.
+	//
+	// Defaults to Zonal for backward compatibility.
+	// +optional
+	// +kubebuilder:default=Zonal
+	// +kubebuilder:validation:Enum=Zonal;Regional
+	NATGatewayAvailabilityMode *NATGatewayAvailabilityMode `json:"natGatewayAvailabilityMode,omitempty"`
 }
 
 // String returns a string representation of the VPC.
@@ -539,6 +569,19 @@ func (v *VPCSpec) GetPublicIpv4Pool() *string {
 	return nil
 }
 
+// IsRegionalNATGateway returns true if the NAT Gateway availability mode is Regional.
+func (v *VPCSpec) IsRegionalNATGateway() bool {
+	return v.NATGatewayAvailabilityMode != nil && *v.NATGatewayAvailabilityMode == NATGatewayAvailabilityModeRegional
+}
+
+// GetNATGatewayAvailabilityMode returns the NAT Gateway availability mode, defaulting to Zonal.
+func (v *VPCSpec) GetNATGatewayAvailabilityMode() NATGatewayAvailabilityMode {
+	if v.NATGatewayAvailabilityMode == nil {
+		return NATGatewayAvailabilityModeZonal
+	}
+	return *v.NATGatewayAvailabilityMode
+}
+
 // SubnetSpec configures an AWS Subnet.
 type SubnetSpec struct {
 	// ID defines a unique identifier to reference this resource.

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -827,6 +827,30 @@ spec:
                               Mutually exclusive with IPAMPool.
                             type: string
                         type: object
+                      natGatewayAvailabilityMode:
+                        default: Zonal
+                        description: |-
+                          NATGatewayAvailabilityMode specifies the availability mode for NAT Gateways in this VPC.
+                          Valid values are "zonal" and "regional".
+
+                          Zonal (default): Creates one NAT Gateway per Availability Zone in public subnets.
+                          Each private subnet routes traffic through the NAT Gateway in its own AZ.
+
+                          Regional: Creates a single NAT Gateway that automatically expands and contracts across
+                          all Availability Zones based on workload presence. Does not require public subnets.
+                          Provides automatic high availability with simplified setup and enhanced security.
+
+                          Regional NAT Gateways support up to 32 IP addresses per AZ (vs 8 for zonal)
+                          and are recommended for new deployments unless private connectivity is required.
+
+                          Note: Regional NAT Gateways are available in all commercial AWS Regions except
+                          AWS GovCloud (US) and China Regions.
+
+                          Defaults to Zonal for backward compatibility.
+                        enum:
+                        - Zonal
+                        - Regional
+                        type: string
                       privateDnsHostnameTypeOnLaunch:
                         description: |-
                           PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch.
@@ -3062,6 +3086,30 @@ spec:
                               Mutually exclusive with IPAMPool.
                             type: string
                         type: object
+                      natGatewayAvailabilityMode:
+                        default: Zonal
+                        description: |-
+                          NATGatewayAvailabilityMode specifies the availability mode for NAT Gateways in this VPC.
+                          Valid values are "zonal" and "regional".
+
+                          Zonal (default): Creates one NAT Gateway per Availability Zone in public subnets.
+                          Each private subnet routes traffic through the NAT Gateway in its own AZ.
+
+                          Regional: Creates a single NAT Gateway that automatically expands and contracts across
+                          all Availability Zones based on workload presence. Does not require public subnets.
+                          Provides automatic high availability with simplified setup and enhanced security.
+
+                          Regional NAT Gateways support up to 32 IP addresses per AZ (vs 8 for zonal)
+                          and are recommended for new deployments unless private connectivity is required.
+
+                          Note: Regional NAT Gateways are available in all commercial AWS Regions except
+                          AWS GovCloud (US) and China Regions.
+
+                          Defaults to Zonal for backward compatibility.
+                        enum:
+                        - Zonal
+                        - Regional
+                        type: string
                       privateDnsHostnameTypeOnLaunch:
                         description: |-
                           PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch.

diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanetemplates.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanetemplates.yaml
@@ -850,6 +850,30 @@ spec:
                                       Mutually exclusive with IPAMPool.
                                     type: string
                                 type: object
+                              natGatewayAvailabilityMode:
+                                default: Zonal
+                                description: |-
+                                  NATGatewayAvailabilityMode specifies the availability mode for NAT Gateways in this VPC.
+                                  Valid values are "zonal" and "regional".
+
+                                  Zonal (default): Creates one NAT Gateway per Availability Zone in public subnets.
+                                  Each private subnet routes traffic through the NAT Gateway in its own AZ.
+
+                                  Regional: Creates a single NAT Gateway that automatically expands and contracts across
+                                  all Availability Zones based on workload presence. Does not require public subnets.
+                                  Provides automatic high availability with simplified setup and enhanced security.
+
+                                  Regional NAT Gateways support up to 32 IP addresses per AZ (vs 8 for zonal)
+                                  and are recommended for new deployments unless private connectivity is required.
+
+                                  Note: Regional NAT Gateways are available in all commercial AWS Regions except
+                                  AWS GovCloud (US) and China Regions.
+
+                                  Defaults to Zonal for backward compatibility.
+                                enum:
+                                - Zonal
+                                - Regional
+                                type: string
                               privateDnsHostnameTypeOnLaunch:
                                 description: |-
                                   PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -1774,6 +1774,30 @@ spec:
                               Mutually exclusive with IPAMPool.
                             type: string
                         type: object
+                      natGatewayAvailabilityMode:
+                        default: Zonal
+                        description: |-
+                          NATGatewayAvailabilityMode specifies the availability mode for NAT Gateways in this VPC.
+                          Valid values are "zonal" and "regional".
+
+                          Zonal (default): Creates one NAT Gateway per Availability Zone in public subnets.
+                          Each private subnet routes traffic through the NAT Gateway in its own AZ.
+
+                          Regional: Creates a single NAT Gateway that automatically expands and contracts across
+                          all Availability Zones based on workload presence. Does not require public subnets.
+                          Provides automatic high availability with simplified setup and enhanced security.
+
+                          Regional NAT Gateways support up to 32 IP addresses per AZ (vs 8 for zonal)
+                          and are recommended for new deployments unless private connectivity is required.
+
+                          Note: Regional NAT Gateways are available in all commercial AWS Regions except
+                          AWS GovCloud (US) and China Regions.
+
+                          Defaults to Zonal for backward compatibility.
+                        enum:
+                        - Zonal
+                        - Regional
+                        type: string
                       privateDnsHostnameTypeOnLaunch:
                         description: |-
                           PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclustertemplates.yaml
@@ -1363,6 +1363,30 @@ spec:
                                       Mutually exclusive with IPAMPool.
                                     type: string
                                 type: object
+                              natGatewayAvailabilityMode:
+                                default: Zonal
+                                description: |-
+                                  NATGatewayAvailabilityMode specifies the availability mode for NAT Gateways in this VPC.
+                                  Valid values are "zonal" and "regional".
+
+                                  Zonal (default): Creates one NAT Gateway per Availability Zone in public subnets.
+                                  Each private subnet routes traffic through the NAT Gateway in its own AZ.
+
+                                  Regional: Creates a single NAT Gateway that automatically expands and contracts across
+                                  all Availability Zones based on workload presence. Does not require public subnets.
+                                  Provides automatic high availability with simplified setup and enhanced security.
+
+                                  Regional NAT Gateways support up to 32 IP addresses per AZ (vs 8 for zonal)
+                                  and are recommended for new deployments unless private connectivity is required.
+
+                                  Note: Regional NAT Gateways are available in all commercial AWS Regions except
+                                  AWS GovCloud (US) and China Regions.
+
+                                  Defaults to Zonal for backward compatibility.
+                                enum:
+                                - Zonal
+                                - Regional
+                                type: string
                               privateDnsHostnameTypeOnLaunch:
                                 description: |-
                                   PrivateDNSHostnameTypeOnLaunch is the type of hostname to assign to instances in the subnet at launch.

diff --git a/go.mod b/go.mod
@@ -10,14 +10,14 @@ require (
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aws/amazon-vpc-cni-k8s v1.15.5
 	github.com/aws/aws-lambda-go v1.41.0
-	github.com/aws/aws-sdk-go-v2 v1.39.2
+	github.com/aws/aws-sdk-go-v2 v1.40.1
 	github.com/aws/aws-sdk-go-v2/config v1.31.12
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.16
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.19.12
 	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.52.4
 	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.52.0
 	github.com/aws/aws-sdk-go-v2/service/configservice v1.56.0
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.0
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.275.1
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.36.0
 	github.com/aws/aws-sdk-go-v2/service/efs v1.39.0
 	github.com/aws/aws-sdk-go-v2/service/eks v1.64.0
@@ -29,7 +29,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.6
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.59.1
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.6
-	github.com/aws/smithy-go v1.23.0
+	github.com/aws/smithy-go v1.24.0
 	github.com/awslabs/goformation/v4 v4.19.5
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/coreos/ignition v0.35.0
@@ -115,15 +115,15 @@ require (
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.50.0
 	github.com/aws/aws-sdk-go-v2/service/eventbridge v1.39.3
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/organizations v1.27.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/servicequotas v1.21.4