An AWS CloudFormation template of NAT instance and private network, low-cost alternative to NAT Gateway, suitable for your non-production environment.
- Minimum EC2 running costs with
t4g.nano
spot instances - Minimum EBS footprint (1GB).
- Tuned NAT table size to accommodate a large number of clients.
- Auto replace NAT instance in case of problems, without changing global IPv4 address.
- IPv6 support for reachability to v6-only peers.
- ...but this template is inferior to NAT Gateway :-)
- Auto-update NAT instance.
- Tuned kernel parameters to drop some malformed packets.
- Tuned least IAM privilege for NAT instance profile.
Make sure your AWS Region is in a supported region.
- Select [CloudFormation] -> [Stacks] -> [Create stack] -> [With new resources (standard)]
- Specify template source to [Upload a template file] and choose
cf-nat-instance-network.yml
as a template file to upload. Then click [Next]. - Specify your stack name and click [Next].
- Continue clicking [Next] until you reach the [Review test] screen.
- Confirm the capabilities section, check the checkbox if ok, and finally click Submit.
aws cloudformation create-stack --stack-name YOUR_STACK_NAME --template-body "file://$(realpath cf-nat-instance-network.yml)" --capabilities CAPABILITY_IAM
Now you can place your instances to a private subnet named YOUR_STACK_NAME-PrivateSubnetA
.
- EC2
t4g.nano
spot instance: 1.3 ~ 1.6 USD/month. - EBS: 0.096 USD/month.
- Ingress traffic: free.
- Egress traffic: depends your traffic, but you may have 100 GB/month free tier.
Note: prices are based on ap-northeast-1 region, as of Sep 2023.
EC2NATInstanceInstanceType
- EC2 instance type of the NAT instance.
- The default
t4g.nano
is the minimum EC2 running cost.
EC2NATInstanceKeyName
- If you want to ssh login to the NAT instance, specify the key pair name.
- No need to specify if you do not manage NAT instances.
EC2NATInstanceAdminNetwork
- If you want to ssh login to the NAT instance, specify the login source in a format like
203.0.113.114/32
. - No need to specify if you do not manage NAT instances.
- If you want to ssh login to the NAT instance, specify the login source in a format like
Note that the ssh host key changes when the NAT instance is replaced. Therefore, the ssh command may say "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!". In this case you need to edit your known_hosts
.
This template works in AWS regions below:
- ap-northeast-1
- ap-northeast-2
- ap-northeast-3
- ap-south-1
- ap-southeast-1
- ap-southeast-2
- ca-central-1
- eu-central-1
- eu-north-1
- eu-west-1
- eu-west-2
- eu-west-3
- sa-east-1
- us-east-1
- us-east-2
- us-west-1
- us-west-2