Category Archives: AWS

AWS CloudFormer VPC NAT Instance gotcha

I’ve been working pretty heavily w/ CloudFormation and AWS lately, automating the spin-up of large environments using CloudFormation and Puppet. More on that later, but wanted to note a little gotcha w/ CloudFormer.

CloudFormer is a BETA AWS appliance that presents a GUI and allows the user to select items in their account to be turned into a CFN template. It has a bit of intelligence where if you select an EC2 instance to be included in the JSON template output, it will auto-select the related Security Groups, and so on.

HOWEVER!!! As of this writing CloudFormer does not pick up on the SourceDestCheck true/false value that has to be turned off for NAT instances to do NAT. Per the AWS documentation at http://docs.aws.amazon.com/sdkfornet1/latest/apidocs/html/P_Amazon_EC2_Model_ModifyNetworkInterfaceAttributeRequest_SourceDestCheck.htm and http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck the SourceDestCheck must be set to false for NAT to work. If you’re not familiar w/ this already you can spend days trying to figure out what’s wrong with NACLs, routes, SGs, etc. You can set this check yourself in the CloudFormer JSON template as shown here:

    "NATInstance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "DisableApiTermination": "FALSE",
        "ImageId": { "Fn::FindInMap" : [ "natmap", { "Ref" : "AWS::Region" }, "64"]},
        "InstanceType": {"Ref": "NATinstanceSize"},
        "KeyName": { "Ref" : "KeyName" },
        "SourceDestCheck" : "false",

Hope this helps!