A NAT Gateway in Failed state means the gateway creation did not complete successfully. Unlike most AWS resources, a failed NAT Gateway cannot be recovered — it must be deleted and recreated. Before you do that, identify the root cause or you'll hit the same failure again.
Step 1: Check the Failure Reason
aws ec2 describe-nat-gateways \
--nat-gateway-ids nat-0abc123 \
--query 'NatGateways[*].[NatGatewayId,State,FailureCode,FailureMessage]'The FailureCode and FailureMessage fields tell you exactly what went wrong. There are three common failure codes.
Cause 1: No Elastic IP Available (EIP Limit)
Each public NAT Gateway requires one Elastic IP. The default EIP limit per region is 5. If all 5 are allocated to other resources, NAT Gateway creation fails.
# Check how many EIPs you have and their status
aws ec2 describe-addresses \
--query 'Addresses[*].[PublicIp,AssociationId,AllocationId]' \
--output table
# Check your current EIP limit
aws ec2 describe-account-attributes \
--attribute-names max-elastic-ipsFix: Release any unassociated EIPs, or request a limit increase via the Service Quotas console (search "Elastic IP addresses").
Cause 2: Wrong Subnet Type (Private Instead of Public)
A NAT Gateway must be created in a public subnet — a subnet with a route to an Internet Gateway. If you create it in a private subnet, it enters Failed state because it has no path to the internet.
# Check which subnets are public (have a route to IGW)
aws ec2 describe-route-tables \
--query 'RouteTables[*].{RT:RouteTableId,Routes:Routes[?GatewayId!=null && starts_with(GatewayId,`igw`)]}' \
--output json | jq '.[] | select(.Routes | length > 0)'Fix: Create the NAT Gateway in a subnet that has a 0.0.0.0/0 → igw-xxxxx route. Then put the NAT Gateway's own route (0.0.0.0/0 → nat-xxxxx) in the private subnet's route table — not the public one.
Cause 3: No Internet Gateway on the VPC
Even a correctly placed NAT Gateway in a public subnet will fail if the VPC has no Internet Gateway at all.
# List IGWs attached to your VPC
aws ec2 describe-internet-gateways \
--filters Name=attachment.vpc-id,Values=vpc-0abc123 \
--query 'InternetGateways[*].[InternetGatewayId,Attachments[0].State]'Fix: If no IGW is attached:
# Create and attach an IGW
IGW=$(aws ec2 create-internet-gateway --query 'InternetGateway.InternetGatewayId' --output text)
aws ec2 attach-internet-gateway --internet-gateway-id $IGW --vpc-id vpc-0abc123Deleting the Failed Gateway and Recreating
# Delete the failed NAT Gateway
aws ec2 delete-nat-gateway --nat-gateway-id nat-0abc123
# Allocate a fresh EIP (if needed)
EIP=$(aws ec2 allocate-address --domain vpc --query 'AllocationId' --output text)
# Create new NAT Gateway in the correct PUBLIC subnet
aws ec2 create-nat-gateway \
--subnet-id subnet-public123 \
--allocation-id $EIPRelated Articles
→ AWS NAT Gateway Cost: Why Your Bill Is Too High [4 Fixes] → AWS NAT Gateway Pricing: Full Cost Breakdown [With Real Examples] → AWS Internet Gateway Cost: What You Actually PayFrequently Asked Questions
Why is my AWS NAT Gateway in a failed state?
The three most common causes: (1) no Elastic IP available — account hit the default 5 EIP limit per region; (2) NAT Gateway was created in a private subnet instead of a public one; (3) the VPC has no Internet Gateway attached.
Can a failed NAT Gateway be recovered?
No. A NAT Gateway in Failed state cannot transition to Available. You must delete it and create a new one after resolving the underlying cause.
Do I get charged for a NAT Gateway in Failed state?
No hourly charge applies to a failed NAT Gateway. However, the Elastic IP that was allocated for it will still incur charges until released. Delete the gateway and release the EIP if you're not immediately retrying.