Last active
May 15, 2017 03:53
-
-
Save jvehent/ee3bdcbd9b83c2b015c5ea66c737381d to your computer and use it in GitHub Desktop.
Create a NAT instance in a VPC and route all traffic to it
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# configuration | |
VPC=vpc-24e97b4d | |
IGW=igw-9f59e9f6 | |
MAINRT=rtb-ae92f4c7 | |
REGION=us-east-2 | |
SSHKEY=jvehent-cloudservicesawsdev-us-east-2-20170513 | |
fail() { | |
echo configuration failed, tearing down setup | |
if [ ! -z $IID ]; then | |
aws ec2 terminate-instances --region $REGION --instance-ids $IID | |
while true; do | |
STATE=$(aws ec2 describe-instances \ | |
--region $REGION \ | |
--instance-ids $IID \ | |
| jq -r '.Reservations[0].Instances[0].State.Name') | |
[ "$STATE" != "running" ] && break | |
echo -n . | |
done | |
fi | |
[ -z $SGID ] && aws ec2 delete-security-group --region $REGION --group-id $SGID | |
[ -z $RTID ] && aws ec2 delete-route-table --region $REGION --route-table-id $RTID | |
[ -z $SUBID ] && aws ec2 delete-subnet --region $REGION --subnet-id $SUBID | |
exit 1 | |
} | |
echo Creating a NAT subnet in the VPC | |
SUBID=$(aws ec2 create-subnet \ | |
--region $REGION \ | |
--vpc-id $VPC \ | |
--cidr-block 10.0.1.0/24 \ | |
| jq -r '.Subnet.SubnetId' || fail) | |
echo $SUBID | |
echo Creating outbound NAT route table | |
RTID=$(aws ec2 create-route-table \ | |
--region $REGION \ | |
--vpc-id $VPC \ | |
| jq -r '.RouteTable.RouteTableId' || fail) | |
echo $RTID | |
echo Creating outbound NAT route through internet gateway | |
aws ec2 create-route \ | |
--region $REGION \ | |
--route-table-id $RTID \ | |
--destination-cidr-block 0.0.0.0/0 \ | |
--gateway-id $IGW || fail | |
echo Associating outbound NAT route table with NAT subnet | |
aws ec2 associate-route-table \ | |
--region $REGION \ | |
--subnet-id $SUBID \ | |
--route-table-id $RTID || fail | |
echo Creating the NATSG Security Group | |
SGID=$(aws ec2 create-security-group \ | |
--region $REGION \ | |
--group-name outboundnat \ | |
--description "Filtering of egress traffic through NAT instance" \ | |
--vpc-id $VPC \ | |
| jq -r '.GroupId' || fail) | |
echo $SGID | |
aws ec2 authorize-security-group-ingress \ | |
--region $REGION \ | |
--group-id $SGID \ | |
--cidr 0.0.0.0/0 \ | |
--protocol tcp --port 22 || fail | |
aws ec2 authorize-security-group-ingress \ | |
--region $REGION \ | |
--group-id $SGID \ | |
--cidr 10.0.0.0/16 \ | |
--protocol tcp --port 80 || fail | |
aws ec2 authorize-security-group-ingress \ | |
--region $REGION \ | |
--group-id $SGID \ | |
--cidr 10.0.0.0/16 \ | |
--protocol tcp --port 443 || fail | |
# To find all available nat instances in the region, use: | |
aws ec2 describe-images \ | |
--region $REGION \ | |
--filter Name="owner-alias",Values="amazon" \ | |
--filter Name="name",Values="amzn-ami-vpc-nat*" \ | |
| jq -r '.Images[] | .Name + " " + .ImageId' \ | |
| sort | |
echo Starting a NAT instance in the NATSG security group | |
IID=$(aws ec2 run-instances \ | |
--region $REGION \ | |
--instance-type t2.micro \ | |
--key-name $SSHKEY \ | |
--security-group-ids $SGID \ | |
--subnet-id $SUBID \ | |
--instance-initiated-shutdown-behavior terminate \ | |
--associate-public-ip-address \ | |
--count 1 \ | |
--image-id ami-6793b702 \ | |
| jq -r '.Instances[0].InstanceId' || fail) | |
echo $IID | |
aws ec2 create-tags \ | |
--region $REGION \ | |
--resources $IID \ | |
--tags Key=Owner,Value=jvehent Key=Name,Value=testidsnat1 || fail | |
echo Disabling Source/Destination Checks on NAT instance | |
aws ec2 modify-instance-attribute \ | |
--region $REGION \ | |
--instance-id $IID \ | |
--no-source-dest-check || fail | |
echo Waiting for NAT instance to be in running state | |
while true; do | |
STATE=$(aws ec2 describe-instances \ | |
--region $REGION \ | |
--instance-ids $IID \ | |
| jq -r '.Reservations[0].Instances[0].State.Name') | |
[ "$STATE" == "running" ] && break | |
echo -n . | |
done | |
echo | |
echo Updating the Main Route Table | |
aws ec2 replace-route \ | |
--region $REGION \ | |
--route-table-id $MAINRT \ | |
--destination-cidr-block 0.0.0.0/0 \ | |
--instance-id $IID || fail |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment