Support AWS Regional NAT Gateways for automatic multi-AZ expansion

[moko-poi]

/kind feature

Describe the solution you'd like

Add support for AWS Regional NAT Gateways, a new availability mode announced in November 2025 that provides automatic multi-AZ expansion with simplified network architecture.

Currently, cluster-api-provider-aws only supports zonal NAT Gateways (one per AZ in public subnets). Regional NAT Gateways offer several advantages:

• Simplified setup: Single NAT Gateway ID across all AZs
• No public subnets required: Enhanced security posture
• Automatic high availability: Auto-expands/contracts with workload presence
• Higher limits: Up to 32 IPs per AZ (vs 8 for zonal)
• Cost optimization: Reduced cross-AZ data transfer in some scenarios

Proposed implementation:

1. Add new field to VPCSpec:

// NATGatewayAvailabilityMode specifies the availability mode for NAT Gateways.
// Valid values: "zonal" (default), "regional"
// +optional
// +kubebuilder:default=zonal
// +kubebuilder:validation:Enum=zonal;regional
NATGatewayAvailabilityMode *string `json:"natGatewayAvailabilityMode,omitempty"`

2. Update NAT Gateway creation logic in pkg/cloud/services/network/natgateways.go to use AvailabilityMode parameter when creating regional NAT Gateways

3. Modify route table reconciliation to support single NAT Gateway ID across all AZs

Anything else you would like to add:

Reference implementations:

• Terraform AWS Provider PR #45380 - Shows availability_mode = "regional" usage
• AWS SDK already supports this via AvailabilityMode parameter in CreateNatGatewayInput
• E2E test helper (test/e2e/shared/aws.go:1575) already uses connectivity type parameters

AWS Documentation:

• Announcement
• Regional NAT Gateway Docs

Example from Terraform Provider:

resource "aws_nat_gateway" "regional" {
  vpc_id            = aws_vpc.example.id
  availability_mode = "regional"
  depends_on        = [aws_internet_gateway.example]
}

Environment:

• Cluster-api-provider-aws version: v2.x (all versions)
• AWS SDK: github.com/aws/aws-sdk-go-v2/service/ec2 v1.233.0+
• Feature availability: All commercial AWS Regions (except GovCloud and China)

[k8s-ci-robot]

This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.