Amazon AWS VPC Replace your NAT with micro Instance NAT

Posted on Monday, December 10, 2012




The VPC wizard has an option to create a public subnet and a private subnet.  It creates a NAT instance to handle internet traffic for the private network.  The tool does not have the option to make this instance a micro instance.   Until recently you could not have a micro instance on a VPC  http://aws.amazon.com/about-aws/whats-new/2012/10/18/Amazon-VPC-now-Supports-Micro-Instances/ [1]  I think it’s possible to use a micro instance as a NAT, you just have to do some manual steps to implement it.


This guide assumes you already have a VPC set up with a public and private subnet and a running NAT.

Instantiate the micro NAT



From the EC2 console.  Select AMIs.

Then from the pull down menu select “Amazon Images”
Then enter “nat” in the text field and press enter.


A display of available amazon provided NAT AMIs is listed


Select the 1.1 beta 64 bit, right click and select Launch Instance.


Select T1.micro as the instance type.
Select VPC and then select the public subnet (in my case 10.0.0.0/24)

Click Continue


I prefer to give it a static internal IP address.   I assigned 10.0.0.25 to it and click Continue.




Click Continue




Give it the name micro-NAT and click Continue.



Select the keypair to use and click continue


Select the security groups you want this NAT to be a part of.  I selected ones that gave it port 22 and access to other machines that share the same group.  Click Continue




























Click Launch





















From the VPC console select Elastic IPs and click on Allocate New Addresses

















Select VPC and click Yes, Allocate

















Click on Associate Address.























Select the Micro-NAT and click Yes, Associate



SSH to test that it is up



              > ssh -i .ec2/pats-keypair.pem ec2-user@107.23.145.253








That worked.


Change Source /Dest Check














From the EC2 console select the micro-NAT instance and right click and select “Change Source / Dest Check”















Click Yes, Disable




























From the VPC console click on subnets then select the private subnet.   Note the route table it is using, in this case rtb-7565761e



















Click on Route Tables and select the route table associated with the private subnet.


















Remove the route to the current NAT, click Remove













Click Yes, Delete


















Enter 0.0.0.0/0 for the Destination and select the micro-NAT instance as the target and click Add.













Click Yes, Create






Test the New Micro NAT


SSH into another instance on the public subnet,  in my case I have a machine running with an Elastic IP at 107.23.142.4 this instance has a keypair in my home directory


              >   ssh -i .ec2/pats-keypair.pem ubuntu@107.23.142.4


SSH into an instance in the private network. I have an instance running in my private network at 10.0.1.30


              >   ssh -i pats-keypair.pem ubuntu@10.0.1.30


Ping google.com from the private network


              >   ping google.com


And it works.   As good measure stop the old NAT instance.






























From the EC2 console select the old NAT and right click and select Stop


Confirm that the old small instance NAT is down then try and ping again from inside the private network and/or use apt-get or wget as a test.


References
[1]  Amazon VPC now supports Micro Instance
       Visited 11/2012

6 comments:

  1. why don't you stop the original SMALL NAT instance and change it to MICRO, then start it back up?

    ReplyDelete
    Replies
    1. This. Takes five seconds.

      Delete
    2. That is a good point, I created my own micro NAT to also server as an openVPN server and I wanted it to run on Ubuntu (my prefered flavor of Linux). I did not cover setting those up in the blog post, but that was my reasoning for creating my own NAT.

      Delete
  2. Just a note that if you use Dedicated Instances, this is not an option. Micro instances cannot run as Dedicated Instances.

    ReplyDelete
  3. Sounds like this is not advisable: http://stackoverflow.com/questions/23366039/amazon-vpc-ami-vpc-nat-throughput-of-micro-instance

    ReplyDelete
    Replies
    1. This truly depends on your needs. Instead of a T1.micro I would use a T2.micro which should alleviate the issues brought up at stackoverflow. But that is still just for a small system that has very low traffic for the VPN. If you have more needs its easy enough to switch to a more consistent server.

      Delete