This CloudFormation template deploys a lambda function with EventBridge rules that automatically provision a NAT Gateway when Elastio worker EC2 instances are starting, and de-provisions it when they are not running anymore.
The lambda will provision one NAT Gateway and Elastic IP per VPC, and configure the route table of the subnet where Elastio worker instances are running to route all traffic through the NAT Gateway. Note there is a default limit of 5 Elastic IP addresses per AWS region, and there should be at least one address available when the lambda deploys the NAT Gateway.
The lambda will only provision a NAT Gateway if Elastio workers are running in a private subnet,
and there is at least one public subnet in the same availability zone in the same VPC. There must
be no route 0.0.0.0/0 configured in the route table of the private subnet.
-
Use one of the following quick-create links. Choose the region where your Elastio Cloud Connector is deployed.
-
Check the box in front of
I acknowledge that AWS CloudFormation might create IAM resourcesand clickCreate stack.
If you'd like to automate the deployment of the NAT Gateway Provision Lambda Cloudformation stack, then you can use the example IAM role and policies to assign to your deployer process IAM identity. The example is available at deployer/main.tf.
To update the existing CFN stack, use the Cloudformation UI or AWS CLI and pass the following CFN template link to replace the existing template:
https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml
For anyone contributing to the code of the NAT Gateway Provision Lambda, make sure to test your changes against the deployer IAM role. Create the deployer IAM role and run the script deployer/test/test.sh to test that the role is capable of deploying the stack.
cd deployer
terraform init
terraform apply -auto-approve
cd test
terraform init
./test.sh