✨ Add support for AWS Regional NAT Gateway

[moko-poi]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR implements support for AWS Regional NAT Gateways, a new feature announced by AWS in November 2025. Regional NAT Gateways provide automatic multi-AZ expansion with simplified network architecture and enhanced security compared to traditional zonal NAT Gateways.

Key Changes:

• Added natGatewayAvailabilityMode field to VPCSpec with enum validation (Zonal/Regional)
• Updated AWS SDK ec2 service from v1.233.0 to v1.275.1 to support new Regional NAT Gateway parameters
• Implemented reconcileRegionalNatGateway() for creating and managing a single NAT Gateway across all AZs
• Implemented createRegionalNatGateway() using VpcId and AvailabilityMode parameters
• Updated getNatGatewayForSubnet() to support routing through regional NAT Gateways
• Generated updated CRD manifests with new field and kubebuilder validation
• Added comprehensive unit tests covering creation, reconciliation, and subnet routing

Benefits:

• Simplified setup: Single NAT Gateway ID across all Availability Zones
• Enhanced security: No public subnets required for hosting NAT Gateways
• Automatic high availability: NAT Gateway automatically expands/contracts based on workload presence
• Higher limits: Up to 32 IP addresses per AZ (vs 8 for zonal)
• Cost optimization: Eliminates cross-AZ data transfer costs in some scenarios
• Backward compatible: Defaults to Zonal mode, existing clusters unaffected

Example Usage:

apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: AWSCluster
metadata:
  name: my-cluster
spec:
  region: us-east-1
  network:
    vpc:
      natGatewayAvailabilityMode: Regional  # New field, defaults to Zonal

Which issue(s) this PR fixes:
Fixes #5790

Special notes for your reviewer:

• Regional NAT Gateways are available in all commercial AWS Regions except AWS GovCloud (US) and China Regions
• The implementation maintains full backward compatibility - existing clusters continue to use zonal NAT Gateways
• Migration from zonal to regional mode would require recreating the NAT Gateway (not covered in this PR)
• The AWS SDK update (v1.233.0 → v1.275.1) was necessary to access the AvailabilityMode and VpcId parameters for CreateNatGatewayInput
• Test coverage includes both successful creation scenarios and error handling

Checklist:

• squashed commits
• includes documentation
• includes emoji in title ✨
• adds unit tests
• adds or updates e2e tests

Release note:

Add support for AWS Regional NAT Gateways. Users can now configure `natGatewayAvailabilityMode: Regional` in VPCSpec to create a single NAT Gateway that automatically expands across all Availability Zones, providing simplified setup and enhanced security. Defaults to Zonal mode for backward compatibility.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign richardcase for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @moko-poi. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.