NatInstanceProviderV2

class aws_cdk.aws_ec2.NatInstanceProviderV2(*, instance_type, credit_specification=None, default_allowed_traffic=None, key_name=None, key_pair=None, machine_image=None, security_group=None, user_data=None)

Bases: NatProvider

Modern NAT provider which uses NAT Instances.

The instance uses Amazon Linux 2023 as the operating system.

ExampleMetadata:

infused

Example:

nat_gateway_provider = ec2.NatProvider.instance_v2(
    instance_type=ec2.InstanceType("t3.small"),
    default_allowed_traffic=ec2.NatTrafficDirection.NONE
)
vpc = ec2.Vpc(self, "Vpc", nat_gateway_provider=nat_gateway_provider)

security_group = ec2.SecurityGroup(self, "SecurityGroup",
    vpc=vpc,
    allow_all_outbound=False
)
security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
for gateway_instance in nat_gateway_provider.gateway_instances:
    gateway_instance.add_security_group(security_group)
Parameters:
  • instance_type (InstanceType) – Instance type of the NAT instance.

  • credit_specification (Optional[CpuCredits]) – Specifying the CPU credit type for burstable EC2 instance types (T2, T3, T3a, etc). The unlimited CPU credit option is not supported for T3 instances with dedicated host (host) tenancy. Default: - T2 instances are standard, while T3, T4g, and T3a instances are unlimited.

  • default_allowed_traffic (Optional[NatTrafficDirection]) – Direction to allow all traffic through the NAT instance by default. By default, inbound and outbound traffic is allowed. If you set this to another value than INBOUND_AND_OUTBOUND, you must configure the NAT instance’s security groups in another way, either by passing in a fully configured Security Group using the securityGroup property, or by configuring it using the .securityGroup or .connections members after passing the NAT Instance Provider to a Vpc. Default: NatTrafficDirection.INBOUND_AND_OUTBOUND

  • key_name (Optional[str]) – (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.

  • key_pair (Optional[IKeyPair]) – The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.

  • machine_image (Optional[IMachineImage]) – The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a GenericLinuxImage. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType(‘t3.micro’), machineImage: new ec2.GenericLinuxImage({ ‘us-east-2’: ‘ami-0f9c61b5a562a16af’ }) }) Default: - Latest NAT instance image

  • security_group (Optional[ISecurityGroup]) – (deprecated) Security Group for NAT instances. Default: - A new security group will be created

  • user_data (Optional[UserData]) – Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(…NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances

Methods

configure_nat(*, nat_subnets, private_subnets, vpc)

Called by the VPC to configure NAT.

Don’t call this directly, the VPC will call it automatically.

Parameters:
  • nat_subnets (Sequence[PublicSubnet]) – The public subnets where the NAT providers need to be placed.

  • private_subnets (Sequence[PrivateSubnet]) – The private subnets that need to route through the NAT providers. There may be more private subnets than public subnets with NAT providers.

  • vpc (Vpc) – The VPC we’re configuring NAT for.

Return type:

None

configure_subnet(subnet)

Configures subnet with the gateway.

Don’t call this directly, the VPC will call it automatically.

Parameters:

subnet (PrivateSubnet) –

Return type:

None

Attributes

DEFAULT_USER_DATA_COMMANDS = ['yum install iptables-services -y', 'systemctl enable iptables', 'systemctl start iptables', 'echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/custom-ip-forwarding.conf', 'sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf', "sudo /sbin/iptables -t nat -A POSTROUTING -o $(route | awk '/^default/{print $NF}') -j MASQUERADE", 'sudo /sbin/iptables -F FORWARD', 'sudo service iptables save']
configured_gateways

Return list of gateways spawned by the provider.

connections

Manage the Security Groups associated with the NAT instances.

gateway_instances

Array of gateway instances spawned by the provider after internal configuration.

security_group

The Security Group associated with the NAT instances.

Static Methods

classmethod gateway(*, eip_allocation_ids=None)

Use NAT Gateways to provide NAT services for your VPC.

NAT gateways are managed by AWS.

Parameters:

eip_allocation_ids (Optional[Sequence[str]]) – EIP allocation IDs for the NAT gateways. Default: - No fixed EIPs allocated for the NAT gateways

See:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

Return type:

NatProvider

classmethod instance(*, instance_type, credit_specification=None, default_allowed_traffic=None, key_name=None, key_pair=None, machine_image=None, security_group=None, user_data=None)

(deprecated) Use NAT instances to provide NAT services for your VPC.

NAT instances are managed by you, but in return allow more configuration.

Be aware that instances created using this provider will not be automatically replaced if they are stopped for any reason. You should implement your own NatProvider based on AutoScaling groups if you need that.

Parameters:
  • instance_type (InstanceType) – Instance type of the NAT instance.

  • credit_specification (Optional[CpuCredits]) – Specifying the CPU credit type for burstable EC2 instance types (T2, T3, T3a, etc). The unlimited CPU credit option is not supported for T3 instances with dedicated host (host) tenancy. Default: - T2 instances are standard, while T3, T4g, and T3a instances are unlimited.

  • default_allowed_traffic (Optional[NatTrafficDirection]) – Direction to allow all traffic through the NAT instance by default. By default, inbound and outbound traffic is allowed. If you set this to another value than INBOUND_AND_OUTBOUND, you must configure the NAT instance’s security groups in another way, either by passing in a fully configured Security Group using the securityGroup property, or by configuring it using the .securityGroup or .connections members after passing the NAT Instance Provider to a Vpc. Default: NatTrafficDirection.INBOUND_AND_OUTBOUND

  • key_name (Optional[str]) – (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.

  • key_pair (Optional[IKeyPair]) – The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.

  • machine_image (Optional[IMachineImage]) – The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a GenericLinuxImage. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType(‘t3.micro’), machineImage: new ec2.GenericLinuxImage({ ‘us-east-2’: ‘ami-0f9c61b5a562a16af’ }) }) Default: - Latest NAT instance image

  • security_group (Optional[ISecurityGroup]) – (deprecated) Security Group for NAT instances. Default: - A new security group will be created

  • user_data (Optional[UserData]) – Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(…NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances

Deprecated:

Return type:

NatInstanceProvider

use instanceV2. ‘instance’ is deprecated since NatInstanceProvider uses a instance image that has reached EOL on Dec 31 2023

See:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

Stability:

deprecated

classmethod instance_v2(*, instance_type, credit_specification=None, default_allowed_traffic=None, key_name=None, key_pair=None, machine_image=None, security_group=None, user_data=None)

Use NAT instances to provide NAT services for your VPC.

NAT instances are managed by you, but in return allow more configuration.

Be aware that instances created using this provider will not be automatically replaced if they are stopped for any reason. You should implement your own NatProvider based on AutoScaling groups if you need that.

Parameters:
  • instance_type (InstanceType) – Instance type of the NAT instance.

  • credit_specification (Optional[CpuCredits]) – Specifying the CPU credit type for burstable EC2 instance types (T2, T3, T3a, etc). The unlimited CPU credit option is not supported for T3 instances with dedicated host (host) tenancy. Default: - T2 instances are standard, while T3, T4g, and T3a instances are unlimited.

  • default_allowed_traffic (Optional[NatTrafficDirection]) – Direction to allow all traffic through the NAT instance by default. By default, inbound and outbound traffic is allowed. If you set this to another value than INBOUND_AND_OUTBOUND, you must configure the NAT instance’s security groups in another way, either by passing in a fully configured Security Group using the securityGroup property, or by configuring it using the .securityGroup or .connections members after passing the NAT Instance Provider to a Vpc. Default: NatTrafficDirection.INBOUND_AND_OUTBOUND

  • key_name (Optional[str]) – (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.

  • key_pair (Optional[IKeyPair]) – The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.

  • machine_image (Optional[IMachineImage]) – The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a GenericLinuxImage. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType(‘t3.micro’), machineImage: new ec2.GenericLinuxImage({ ‘us-east-2’: ‘ami-0f9c61b5a562a16af’ }) }) Default: - Latest NAT instance image

  • security_group (Optional[ISecurityGroup]) – (deprecated) Security Group for NAT instances. Default: - A new security group will be created

  • user_data (Optional[UserData]) – Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(…NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances

See:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

Return type:

NatInstanceProviderV2