{"id":20697435,"url":"https://github.com/epomatti/aws-nat-instance","last_synced_at":"2026-04-13T05:43:45.158Z","repository":{"id":180699661,"uuid":"665516454","full_name":"epomatti/aws-nat-instance","owner":"epomatti","description":"NAT instance architecture","archived":false,"fork":false,"pushed_at":"2025-12-23T22:48:39.000Z","size":215,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-25T17:10:09.197Z","etag":null,"topics":["aws","aws-bpa","aws-security","block-public-access","debian","ec2","iptables","lambda","linux","nat","nat-gateway","nat-instance","terraform","ubuntu","vpc","vpc-endpoints"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epomatti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-07-12T11:29:44.000Z","updated_at":"2025-12-23T22:48:42.000Z","dependencies_parsed_at":"2024-11-17T00:20:44.876Z","dependency_job_id":"d656464a-627f-4316-af58-de99f0a5f98f","html_url":"https://github.com/epomatti/aws-nat-instance","commit_stats":null,"previous_names":["epomatti/aws-nat-instance"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/epomatti/aws-nat-instance","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-nat-instance","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-nat-instance/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-nat-instance/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-nat-instance/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epomatti","download_url":"https://codeload.github.com/epomatti/aws-nat-instance/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-nat-instance/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31741541,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T05:13:27.074Z","status":"ssl_error","status_checked_at":"2026-04-13T05:13:25.150Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-bpa","aws-security","block-public-access","debian","ec2","iptables","lambda","linux","nat","nat-gateway","nat-instance","terraform","ubuntu","vpc","vpc-endpoints"],"created_at":"2024-11-17T00:18:04.635Z","updated_at":"2026-04-13T05:43:45.135Z","avatar_url":"https://github.com/epomatti.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS NAT Instance\n\nDebian NAT instance running on AWS.\n\n\u003cimg src=\".assets/aws-nat2.png\" /\u003e\n\nCopy the variables template:\n\n```sh\ncp config/template.tfvars .auto.tfvars\n```\n\n(Optional) Key for the VNS3 NATe:\n\n```sh\nmkdir keys \u0026\u0026 ssh-keygen -f keys/vns3\n```\n\nApply your infrastructure:\n\n```sh\nterraform init\nterraform apply\n```\n\nAfter creating the resources, confirm that the NAT instance has been set up correctly:\n\n```sh\ncloud-init status\n\nip link show\nsysctl -ar ip_forward\ncat /proc/sys/net/ipv4/ip_forward\n```\n\nOnce the NAT instance is functional, set `create_private_server = true` and apply again.\n\nTo test it, connect to the private server using Sessions Manager.\n\nIf you wish to enable VPC endpoints, set the variable:\n\n```terraform\ncreate_vpc_endpoints = true\n```\n\nTo use another distribution like Ubuntu, change the variables:\n\n```terraform\n# NAT instance\ninstance_type = \"t4g.micro\"\nuserdata      = \"ubuntu.sh\"\nami           = \"ami-05983a09f7dc1c18f\"\n```\n\nUseful articles [here][1] and [here][2].\n\n## VPC Block Private Access\n\nFor extra security controls, configure the VPC section of parameters:\n\n\u003e [!IMPORTANT]\n\u003e This feature only fully integrates with NAT Gateway, such as for `allow-egress`. When using NAT instances, `allow-bidirectional` is required.\n\n```terraform\napply_vpc_bpa                                      = false\ncreate_nat_subnet_exclusion                        = true\ncreate_private_subnet_exclusion                    = true\nvpc_internet_gateway_block_mode                    = \"block-bidirectional\" # \"block-bidirectional\", \"block-ingress\", \"off\"\nvpc_nat_subnet_internet_gateway_exclusion_mode     = \"allow-bidirectional\" # \"allow-bidirectional\", \"allow-egress\"\nvpc_private_subnet_internet_gateway_exclusion_mode = \"allow-bidirectional\" # \"allow-bidirectional\", \"allow-egress\"\n```\n\n## SSM\n\n```sh\naws ssm get-parameters --names usg_bucket region --query Parameter.Value --output text\naws ssm get-parameters --names usg_bucket region --query \"Parameters[*].Value\" --output text\n```\n\n## Ubuntu Pro USG\n\nWhen applying Ubuntu Pro hardening with USG, additional configuration is required. The CIS benchmark rules will constraint the NAT instance capabilities.\n\nTo setup the environment, first configure the required variables.\n\nFind the [latest](https://documentation.ubuntu.com/aws/en/latest/aws-how-to/instances/find-ubuntu-images/) Ubuntu Pro AMI:\n\n\u003e [!TIP]\n\u003e Currently there might be [issues](https://discourse.ubuntu.com/t/cis-compliance-with-usg-for-ubuntu-24-04-lts) with 24.04 LTS.\n\n```sh\n# Ubuntu Pro Server 24.04 (Noble) TLS Arm64\naws ssm get-parameters --region us-east-2 \\\n   --names '/aws/service/canonical/ubuntu/pro-server/noble/stable/current/arm64/hvm/ebs-gp3/ami-id'\n\n# Or use the Minimal release\n# Was available only for Jammy and EBS GP2\naws ssm get-parameters --region us-east-2 \\\n   --names '/aws/service/canonical/ubuntu/pro-minimal/jammy/stable/current/arm64/hvm/ebs-gp2/ami-id'\n\n# To search by path\naws ssm get-parameters-by-path  --region us-east-2 --path '/aws/service/canonical/ubuntu/pro-minimal/' --recursive --output text\n```\n\nSet the variable values:\n\n```terraform\nami      = \"ami-0ffa1a4298cabeb40\"\nuserdata = \"ubuntu-pro.sh\"\n```\n\nDeploy the resources:\n\n```sh\nterraform init\nterraform apply -auto-approve\n```\n\nIf you're running a minimal instance, try and check if the packages are \u003c 500;\n\n```sh\ndpkg -l | wc -l\n```\n\nThe USG [installation](https://ubuntu.com/security/certifications/docs/disa-stig/installation) steps are already implemented in via cloud init.\n\nConnect to the instance and confirm USG is enabled:\n\n```sh\npro status --all\n```\n\nGenerate the tailoring file:\n\n\u003e [!TIP]\n\u003e An example file is available in the `examples/` directory:\n\n```sh\n# Select depending on your requirements\nsudo usg generate-tailoring cis_level1_server tailor.xml\nsudo usg generate-tailoring cis_level2_server tailor.xml\n```\n\nThe following rules must be disabled with `selected=\"false\"` to keep NAT operational:\n\n```xml\n\u003c!--3.3.1: Ensure ip forwarding is disabled (Automated)--\u003e\n\u003cselect idref=\"xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward\" selected=\"false\"/\u003e\n\u003cselect idref=\"xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding\" selected=\"false\"/\u003e\n\n\u003c!--4.2.2: Ensure iptables-persistent is not installed with ufw (Automated)--\u003e\n\u003cselect idref=\"xccdf_org.ssgproject.content_rule_package_iptables-persistent_removed\" selected=\"false\"/\u003e\n\n\u003c!--3.3.8: Ensure source routed packets are not accepted (Automated)--\u003e\n\u003cselect idref=\"xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route\" selected=\"false\"/\u003e\n```\n\nYou may wish to disable AIDE to speed up the tests:\n\n```xml\n\u003c!--6.3.1: Ensure AIDE is installed (Automated)--\u003e\n\u003cselect idref=\"xccdf_org.ssgproject.content_rule_aide_build_database\" selected=\"false\"/\u003e\n\u003cselect idref=\"xccdf_org.ssgproject.content_rule_package_aide_installed\" selected=\"false\"/\u003e\n\u003c!--6.3.2: Ensure filesystem integrity is regularly checked (Automated)--\u003e\n\u003cselect idref=\"xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer\" selected=\"false\"/\u003e\n```\n\nApply the fix with the tailored configuration:\n\n```sh\nsudo usg fix --tailoring-file tailor.xml\n```\n\nDouble check the configuration:\n\n```sh\n# IP Forwarding should be enabled\nsysctl -ar ip_forward\ncat /proc/sys/net/ipv4/ip_forward\n\n# Source routing\nsysctl -a | grep source_route | grep ipv4\nsysctl -a | grep source_route | grep ipv6\n\n# UFW should be enabled\nsystemctl ufw status\n```\n\nAdditional reference documentation:\n\n- [What is masquerade in the context of iptables](https://askubuntu.com/questions/466445/what-is-masquerade-in-the-context-of-iptables)\n- [Disable source routing](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing)\n\n## Lambda VPC\n\n- Lambda IAM permissions\n- Security Group with appropriate port egress rules (e.g.: 80, 443, 5432)\n- Two subnets (recommended)\n- Route tables\n- NAT\n\nTo test Lambda VNET integration:\n\n```sh\nsam build\nsam local invoke HelloWorldFunction\n```\n\nUpdate the function code:\n\n```sh\nmake update-function-code\n```\n\nInvoke remotely:\n\n```sh\nsam remote invoke corp\n```\n\nFor automation, use the [update-function-configuration][awscli-update-function-configuration] operation:\n\n```sh\naws lambda update-function-configuration \\\n    --function-name corp \\\n    --role \"arn:aws:iam::0000000000:role/corp-lambda-role\" \\\n    --vpc-config '{\"SubnetIds\": [\"subnet-xxxxxxxxxxxxxxxxx\", \"subnet-yyyyyyyyyyyyyyyyy\"], \"SecurityGroupIds\": [\"sg-zzzzzzzzzzzzzzzzz\"]}'\n```\n\n## VNS3\n\nAnother option is to use Cohesive Networks VNS3 NATe:\n\n\u003e [!TIP]\n\u003e Always check for an updated AMI\n\nSet the variable flag:\n\n```terraform\ncreate_cohesive_nat = true\n```\n\nReference documentation for VNS3:\n\n- [VNS3 NATe](https://docs.cohesive.net/docs/nate/)\n- [AWS Marketplace VNS3 AMI](https://aws.amazon.com/marketplace/pp/prodview-beu27g23xt4ok)\n- [Getting Started](https://docs.cohesive.net/tutorials/getting-started/)\n- [Running in AWS](https://docs.cohesive.net/docs/cloud-setup/aws/)\n- [AWS Specific Features](https://docs.cohesive.net/docs/vns3/aws-features/)\n\n[1]: https://linuxhint.com/configure-nat-on-ubuntu/\n[2]: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux\n[awscli-update-function-configuration]: https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-configuration.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faws-nat-instance","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepomatti%2Faws-nat-instance","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faws-nat-instance/lists"}