Amazon AWS VPC Replace your NAT with micro Instance NAT

Posted on Monday, December 10, 2012

The VPC wizard has an option to create a public subnet and a private subnet.  It creates a NAT instance to handle internet traffic for the private network.  The tool does not have the option to make this instance a micro instance.   Until recently you could not have a micro instance on a VPC [1]  I think it’s possible to use a micro instance as a NAT, you just have to do some manual steps to implement it.

This guide assumes you already have a VPC set up with a public and private subnet and a running NAT.

Instantiate the micro NAT

From the EC2 console.  Select AMIs.

Then from the pull down menu select “Amazon Images”
Then enter “nat” in the text field and press enter.

A display of available amazon provided NAT AMIs is listed

Select the 1.1 beta 64 bit, right click and select Launch Instance.

Select T1.micro as the instance type.
Select VPC and then select the public subnet (in my case

Click Continue

I prefer to give it a static internal IP address.   I assigned to it and click Continue.

Click Continue

Give it the name micro-NAT and click Continue.

Select the keypair to use and click continue

Select the security groups you want this NAT to be a part of.  I selected ones that gave it port 22 and access to other machines that share the same group.  Click Continue

Click Launch

From the VPC console select Elastic IPs and click on Allocate New Addresses

Select VPC and click Yes, Allocate

Click on Associate Address.

Select the Micro-NAT and click Yes, Associate

SSH to test that it is up

              > ssh -i .ec2/pats-keypair.pem ec2-user@

That worked.

Change Source /Dest Check

From the EC2 console select the micro-NAT instance and right click and select “Change Source / Dest Check”

Click Yes, Disable

From the VPC console click on subnets then select the private subnet.   Note the route table it is using, in this case rtb-7565761e

Click on Route Tables and select the route table associated with the private subnet.

Remove the route to the current NAT, click Remove

Click Yes, Delete

Enter for the Destination and select the micro-NAT instance as the target and click Add.

Click Yes, Create

Test the New Micro NAT

SSH into another instance on the public subnet,  in my case I have a machine running with an Elastic IP at this instance has a keypair in my home directory

              >   ssh -i .ec2/pats-keypair.pem ubuntu@

SSH into an instance in the private network. I have an instance running in my private network at

              >   ssh -i pats-keypair.pem ubuntu@

Ping from the private network

              >   ping

And it works.   As good measure stop the old NAT instance.

From the EC2 console select the old NAT and right click and select Stop

Confirm that the old small instance NAT is down then try and ping again from inside the private network and/or use apt-get or wget as a test.

[1]  Amazon VPC now supports Micro Instance
       Visited 11/2012


  1. why don't you stop the original SMALL NAT instance and change it to MICRO, then start it back up?

    1. That is a good point, I created my own micro NAT to also server as an openVPN server and I wanted it to run on Ubuntu (my prefered flavor of Linux). I did not cover setting those up in the blog post, but that was my reasoning for creating my own NAT.

  2. Just a note that if you use Dedicated Instances, this is not an option. Micro instances cannot run as Dedicated Instances.

  3. Sounds like this is not advisable:

    1. This truly depends on your needs. Instead of a T1.micro I would use a T2.micro which should alleviate the issues brought up at stackoverflow. But that is still just for a small system that has very low traffic for the VPN. If you have more needs its easy enough to switch to a more consistent server.