An AWS CDK library providing NAT instances that are each placed in their own auto scaling group to improve fault tolerance and availability.
Project description
CDK NAT ASG Provider
Use this AWS Cloud Development Kit (CDK) library to configure and deploy network address translation (NAT) instances individually within their own auto scaling group (ASG) to improve reliability and availability.
Works with AWS CDK v2.
Problem
Although the NAT gateways offered by AWS have high availability, high bandwidth scalability, and minimal administration needs, they can be too expensive for small scale applications. A cheaper alternative, one that AWS mentions in its documentation but does not recommend, is to configure and manage your own NAT instances. One way of doing this is with the CDK using NatInstanceProvider
.
import { aws_ec2 as ec2 } from 'aws-cdk-lib';
// Factory method constructs and configures a `NatInstanceProvider` object
const provider = ec2.NatProvider.instance({
instanceType: new ec2.InstanceType('t2.micro'),
});
const vpc = new ec2.Vpc(this, 'Vpc', {
natGatewayProvider: provider,
});
A major downside of this approach is that the created NAT instances will not be automatically replaced if they are stopped for whatever reason.
Solution
To provide better fault tolerance and availability, I implemented a NAT provider called NatAsgProvider
that places each created NAT instance in its own ASG.
import { aws_ec2 as ec2 } from 'aws-cdk-lib';
import { NatAsgProvider } from 'cdk-nat-asg-provider';
const provider = new NatAsgProvider({});
const vpc = new ec2.Vpc(this, 'Vpc', {
natGatewayProvider: provider,
});
Like NatInstanceProvider
, NatAsgProvider
extends NatProvider
.
How it works
The number of NAT instances to create and the placement of those NAT instances is dictated by the configuration of the relevant VPC
object using the following configuration properties provided to the VPC
constructor:
-
- Selects the subnets that will have NAT instances
- By default, all public subnets are selected
-
- The number of NAT instances to create
- By default, one NAT instance per AZ
At a high-level, this is how NatAsgProvider
achieves its purpose:
-
Enables NAT in the EC2 instances, which are running Amazon Linux 2
-
Places each NAT instance in its own ASG, configured by a launch template
-
Uses
cfn-signal
in conjunction with aCreationPolicy
andUpdatePolicy
to suspend work on the stack until the NAT instance signals successful creation or update, respectively, of its ASG -
Attaches an additional elastic network interface (ENI) to each NAT instance
- Each of these ENI is assigned an elastic IP (EIP) address
- Sets the default gateway to be the newly attached ENI
Installation
TypeScript (npm)
npm install cdk-nat-asg-provider
or
yarn install cdk-nat-asg-provider
Python (PyPI)
pip install cdk-nat-asg-provider
Usage
For general usage, check out the API documentation.
Example: Manual testing of NAT configuration
I implemented a test environment similar to the one described in the AWS VPC docs. It allows you to manually check whether instances in private subnets can access the internet through the NAT instances by using the NAT instances as bastion servers.
The implementation is in src/manual.integ.ts. It's worth taking a look if you're confused about how to configure Vpc
and NatAsgProvider
.
To deploy the manual integration test, execute the sh
script scripts/manual-integ-test
and use the deploy
command:
./scripts/manual-integ-test deploy <ACCOUNT> <AWS_REGION> <KEY_PAIR_NAME> [MAX_AZS]
MAX_AZS
is optional.
To destroy the manual integration test, execute the same script with same arguments using the destroy
command:
./scripts/manual-integ-test destroy <ACCOUNT> <AWS_REGION> <KEY_PAIR_NAME> [MAX_AZS]
Project configuration via projen
projen
synthesizes and maintains project configuration. Most of the configuration files, such as package.json
, .gitignore
, and those defining Github Actions workflows, are managed by projen
and are read-only. To add, remove, or modify configuration files, edit .projenrc.js
and then run npx projen
. Check out projen
's documentation website for more details.
Contributing
Feel free to open issues to report bugs or suggest features. Contributions via pull requests are much appreciated.
License
Released under the Apache 2.0 license.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file cdk-nat-asg-provider-0.0.5.tar.gz
.
File metadata
- Download URL: cdk-nat-asg-provider-0.0.5.tar.gz
- Upload date:
- Size: 50.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4727c5071729784e7620a742cbaf3a785226764bbedb83f152878e7d75a216ab |
|
MD5 | 2ed8548bfad2327ac5ef0cebd4c100ea |
|
BLAKE2b-256 | 7d7961152e587ff2fd935a9e19d47da22b6efa3c575a8c1887716ac2fe1653cf |
File details
Details for the file cdk_nat_asg_provider-0.0.5-py3-none-any.whl
.
File metadata
- Download URL: cdk_nat_asg_provider-0.0.5-py3-none-any.whl
- Upload date:
- Size: 48.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 031d56bc63177219151867cf7185813afaf5786df36561feb18a752202a02d10 |
|
MD5 | b3ead280f6f50a8430db2a45aefa8f3b |
|
BLAKE2b-256 | b395be1f2f2f637d67db229c1706cffc921d120311c4d8aa52c6fec82d9ef48a |