4. NAT vs NAT Gateways
Comparison
Attribute NAT Gateway NAT Instance
Availability Highly Available. Nat Gateways in
each Availability Zone are
implemented with redundancy. *
Use a script to manage failover
between instances
Bandwidth Supports Bursts of up to 10 Gbps Instance type and size dependent
Maintenance Managed by AWS Managed by you, installing
software updates, system
patches etc.
Performance Software is optimized for handling
NAT traffic
A generic Amazon Linux AMI
that’s configured to perform NAT.
Cost Charged depending on the number
of NAT gateways you use, duration of
use and amount of data sent.
Charged depending on # of Nat
Instances used duration or use
and size
5. NAT vs NAT Gateways
Comparison
Attribute NAT Gateway NAT Instance
Public IP
addresses
Choose the Elastic IP address to
associate with the Gateway during
creation
Use an Elastic IP or public IP
address with a NAT instance. You
can change the IP by associating
a new Elastic IP address.
Security
Groups
Cannot be associated with a NAT
Gateway, associate with your
resources behind the Gateway
Can be assouciated with the NAT
instance and the instances
behind the NAT
Flow Logs Use Flow logs to capture the traffic Use Flow logs to capture the
traffic
Bastion
Servers
Not Supported A generic Amazon Linux AMI
that’s configured to perform NAT.
Traffic
metrics
Not Supported View CloudWatch Metrics
6. What about pricing?
Region Name Price per Hour Price per GB data processed ($)
US East (N Virginia) 0.045 0.045
US West (Oregon) 0.045 0.045
US West (N California) 0.048 0.048
EU (Ireland) 0.048 0.048
EU(Frankfurt) 0.052 0.059
Asia Pacific (Singapore) 0.059 0.059
Asia Pacific (Tokyo) 0.062 0.062
Asia Pacific (Sydney) 0.059 0.059
* Prices as of 3/21/2016
7. What about pricing?
Region Name Price per Hour t2.small Price per Hour
US East (N Virginia) 0.045 0.026
US West (Oregon) 0.045 0.026
US West (N California) 0.048 0.034
EU (Ireland) 0.048 0.028
EU(Frankfurt) 0.052 0.03
Asia Pacific (Singapore) 0.059 0.04
Asia Pacific (Tokyo) 0.062 0.04
Asia Pacific (Sydney) 0.059 0.04
* Prices as of 3/21/2016
Nat Gateway vs Nat Instance (t2.small)
8. Old NAT HA Architecture
Previously in an old HA Nat
Archicture, one way of doing it
would be to have a NAT in each AZ
and then have a script that would
check the heart beat checking the
status of the other.
9. Creating the NAT Gateway
For more info
http://docs.aws.amazon.com/cli/latest/reference/ec2/create-nat-gateway.html
If you would like to create your NAT Gateway via the CLI then use
the following syntax:
$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d --region eu-west-1
10. Creating the NAT Gateway
If you would like to create your NAT Gateway via the CLI then use
the following syntax:
$ aws ec2 allocate-address --domain vpc --region us-west-2 --profile myprofile
$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d –allocation-id
eipalloc-dl3648b5 --region us-west-2 --profile myprofile
{
"PublicIp": "52.54.70.124",
"Domain": "vpc",
"AllocationId": "eipalloc-d1e648b5"
}
11. Creating the NAT Gateway
If you would like to create your NAT Gateway via the CLI then use
the following syntax:
{
"NatGateway": {
"NatGatewayAddresses": [
{
"AllocationId": "eipalloc-37fc1a52"
}
],
"VpcId": "vpc-1122aabb",
"State": "pending",
"NatGatewayId": "nat-08d48af2a8e83edfd",
"SubnetId": "subnet-1a2b3c4d",
"CreateTime": "2015-12-17T12:45:26.732Z”
}
}
$ aws ec2 create-nat-gateway --subnet subnet-1a2bc34d –allocation-id
eipalloc-dl3648b5 --region us-west-2 --profile myprofile
12. Below is an example of how to create a NAT
Gateway with an EIP (elastic IP)
Creating with CloudFormation
"NAT" : {
"DependsOn" : "VPCGatewayAttach",
"Type" : "AWS::EC2::NatGateway",
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : ["EIP", "AllocationId"]},
"SubnetId" : { "Ref" : "Subnet"}
}
},
"EIP" : {
"Type" : "AWS::EC2::EIP",
"Properties" : { "Domain" : "vpc" }
},
"Route" : {
"Type" : "AWS::EC2::Route",
"Properties" : { "RouteTableId" : { "Ref" : "RouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"NatGatewayId" : { "Ref" : "NAT" }
}
}
13. Migrating to A NAT Gateway
Demo Time
Photo curtesy
of Stephen Radford via
http://snap.io
14. Have you ever dealt with
Image by http://www.gratisography.com/
My private
instance can’t
reach the
internet
15. Check to make sure your routing table are intact
for your private routes.
First Steps
16. By default the Amazon Linux instance does not
have telenet installed
Tips if you using a
NAT Instance
It does however have NetCat which can
provide instant troubleshooting abilities
nc 10.0.022 22 &> /dev/null; echo $?
Will output 0 if port 22 is open, and 1 if it's closed.
17. Other ways of using NetCat
Tips if you using a
NAT Instance
Try using netcat to open a connection and
listen to a port and then connect from your
other instance using telnet
>nc –l 80
18. See if you can reach the outside world
Tips if you using a
NAT Instance
Try using nslookup to see if you can get out
and get a response to a known dns name
nslookup google.com
Server: 10.0.0.2
Address: 10.0.0.2#53
Non-authoritative answer:
Name: google.com
Address: 216.58.193.78
19. Make sure that the source-dest check is set to:
FALSE on the NAT instance
Tips if you using a
NAT Instance
20. VPC FlowLogs
includes
1) Information about allowed and denied traffic
(based on security group and ACL rules)
2) Source and Destination Addresses
3) Ports, Protocol Number
4) Packet and byte counts
21. VPC FlowLogs
don’t include
For more info
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
1) Traffic to Amazon DNS Servers
2) Windows license activation traffic for licenses
provided by Amazon
3) Requests for instance metadata
4) DHCP requests or responses
22. Turning on VPC Flow Logs
For more info
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
First Step:
Create a Role that can publish to CloudWatch
logs
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams”
],
"Effect": "Allow", "Resource": "*"
}
]
}
23. Turning on VPC Flow Logs
From the AWS Console
Go to CloudWatch
Choose Logs
Go to Actions
Create Log Group
24. Turning on VPC Flow Logs
For more info
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
From the AWS Console
Go to VPC
Choose your VPC
Go to Actions
Create Flow Log
26. VPC FlowLog Limitations
• You cannot enable flow logs for network interfaces that are in
the EC2-Classic Platform
• You cannot enable flow logs for VPCs that are peered with
their VPC unless the peer VPC is in your account
• You cannot tag a flow log.
• After you’ve created a flow log, you cannot change it’s
configuration; for example, you can’t associate a different IAM
role with the flow log.
• If your network interface has multiple IP addresses and traffic
is sent to a secondary private IP address, the flow log displays
the primary IP address in the destination IP address field.
AWS already has managed policies for SSM to attached either to your users or Roles.These can be easily found by going to to policy section of IAM and then searching for SSM
We need to allocate an EIP first and then use that allocation ID when requesting our NAT Gateway
Finally on Feb 26th AWS announced support for the NAT Gateway in CloudFormation
Official CF documentation: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-natgateway.html
Let’s take a look at some of the commands that we can perform
When creating an Image from a pre-existing image to join a domain, an important step is to shut down the system with Sysprep. This can be done either graphically from the EC2config screen or by using the CLI
When creating an Image from a pre-existing image to join a domain, an important step is to shut down the system with Sysprep. This can be done either graphically from the EC2config screen or by using the CLI
When creating an Image from a pre-existing image to join a domain, an important step is to shut down the system with Sysprep. This can be done either graphically from the EC2config screen or by using the CLI
We are going to need a Log Group in our next steps to push our Logs to later
When creating an Image from a pre-existing image to join a domain, an important step is to shut down the system with Sysprep. This can be done either graphically from the EC2config screen or by using the CLI
When setting up the VPC flow logs you will have to choose a few things including the Destination Log Group:
The name of the CloudWatch Logs log group to which the flow log will be published. A log stream will be created in this log group for each network interface being monitored.
We could also filter on one of three items: All, Accept, and Reject
When creating an Image from a pre-existing image to join a domain, an important step is to shut down the system with Sysprep. This can be done either graphically from the EC2config screen or by using the CLI