The VPC wizard has an option to create a public subnet and a
private subnet. It creates a NAT
instance to handle internet traffic for the private network. The tool does not have the option to make
this instance a micro instance. Until
recently you could not have a micro instance on a VPC http://aws.amazon.com/about-aws/whats-new/2012/10/18/Amazon-VPC-now-Supports-Micro-Instances/
[1] I think it’s possible to use a micro
instance as a NAT, you just have to do some manual steps to implement it.
This guide assumes you already have a VPC set up with a
public and private subnet and a running NAT.
Instantiate the micro NAT
From the EC2 console.
Select AMIs.
Then from the pull down menu select “Amazon Images”
Then enter “nat” in the text field and press enter.
A display of available amazon provided NAT AMIs is listed
Select the 1.1 beta 64 bit, right click and select Launch
Instance.
Select T1.micro as the instance type.
Select VPC and then select the public subnet (in my case
10.0.0.0/24)
Click Continue
I prefer to give it a static internal IP address. I assigned 10.0.0.25 to it and click
Continue.
Click Continue
Give it the name micro-NAT and click Continue.
Select the keypair to use and click continue
Select the security groups you want this NAT to be a part
of. I selected ones that gave it port 22
and access to other machines that share the same group. Click Continue
Click Launch
From the VPC console select Elastic IPs and click on Allocate New Addresses
Select VPC and click Yes, Allocate
Click on Associate Address.
Select the Micro-NAT and click Yes, Associate
SSH to test that it is up
> ssh
-i .ec2/pats-keypair.pem ec2-user@107.23.145.253
|
That worked.
Change Source /Dest Check
From the EC2 console select the micro-NAT instance and right click and select “Change Source / Dest Check”
Click Yes, Disable
From the VPC console click on subnets then select the private subnet. Note the route table it is using, in this case rtb-7565761e
Click on Route Tables and select the route table associated with the private subnet.
Remove the route to the current NAT, click Remove
Click Yes, Delete
Enter 0.0.0.0/0 for the Destination and select the micro-NAT instance as the target and click Add.
Click Yes, Create
Test the New Micro NAT
SSH into another instance on the public subnet, in my case I have a machine running with an
Elastic IP at 107.23.142.4 this instance has a keypair in my home directory
> ssh
-i .ec2/pats-keypair.pem ubuntu@107.23.142.4
|
SSH into an instance in the private network. I have an
instance running in my private network at 10.0.1.30
> ssh
-i pats-keypair.pem ubuntu@10.0.1.30
|
Ping google.com from the private network
> ping
google.com
|
And it works. As
good measure stop the old NAT instance.
From the EC2 console select the old NAT and right click and select Stop
Confirm that the old small instance NAT is down then try and
ping again from inside the private network and/or use apt-get or wget as a
test.
References
[1] Amazon VPC now
supports Micro Instance
Visited 11/2012
why don't you stop the original SMALL NAT instance and change it to MICRO, then start it back up?
ReplyDeleteThis. Takes five seconds.
DeleteThat is a good point, I created my own micro NAT to also server as an openVPN server and I wanted it to run on Ubuntu (my prefered flavor of Linux). I did not cover setting those up in the blog post, but that was my reasoning for creating my own NAT.
DeleteJust a note that if you use Dedicated Instances, this is not an option. Micro instances cannot run as Dedicated Instances.
ReplyDeleteSounds like this is not advisable: http://stackoverflow.com/questions/23366039/amazon-vpc-ami-vpc-nat-throughput-of-micro-instance
ReplyDeleteThis truly depends on your needs. Instead of a T1.micro I would use a T2.micro which should alleviate the issues brought up at stackoverflow. But that is still just for a small system that has very low traffic for the VPN. If you have more needs its easy enough to switch to a more consistent server.
Delete