AWS Cloudformation - creating a NAT instance

Introduction

Having got the basic networking in place with public and private subnets, there is one more networking ingredient that is required.  If you want to be able to use many of the AWS services in your private subnets, instances in these subnets need internet access.

In this post, I'll create a NAT instances to give internet access to private subnets. 

To build the NAT instance I'll use Cloudformation, and then I'll create a Powershell script to create or replace the NAT instance.

NAT instance

You can create an EC2 NAT instance by using one of the community NAT AMIs - I'm sure that's OK, but the one I happened to pick didn't work, and using this approach is a lot more flexible, and just as easy.

Amazon provide a very good article on how to set up high availability NAT.  What I'm doing here is quite a bit simpler - it will not give the high availability of the Amazon solution, but will allow a fairly rapid replacement of a malfunctioning NAT instance (probably 10 minutes rather than 10 seconds). I also needed to NAT an incoming port, forwarding it to another instance, meaning I could only have one working instance.

Cloudformation

Cloudformation is a fantastic service.  There is no cost associated with Cloudformation - you pay for what you create.  In this case I'm creating an EC2 instance and will pay the hourly rate as soon as it starts.  With Cloudformation you use a template to create a Cloudformation "stack".

The stack I'll create here contains an EC2 instance doing NAT and a security group.

The template I use is quite simple, and is easy to deconstruct and see how templates work.  If you want to, feel free to download the template from here, modify it, and use Cloudformation to build it.  If you are familiar with linux and bash, you will see how "UserData" in the instance properties can be used to do virtually any configuration of a linux instance.  A note here - the template is in JSON format, which can be very easy to get wrong.  I use Notepad ++ in a Windows environment, and add the JSON viewer plug-in.  This allows you to select your whole template and quickly verify if the JSON is OK.

The instance you create with this template may be included in the free tier, costing nothing.  However, it's a pretty useless instance on it's own - without modification you won't be able to access it except from other instances in your VPC.  To allow external access, make a second copy of the line:

{ "IpProtocol" : "tcp", "FromPort" : {"Ref" : "ForwardPort" }, "ToPort" : {"Ref" : "ForwardPort" }, "CidrIp" : "0.0.0.0/0" } ,

replacing  "ForwardPort" with "SSHPort", and preferably locking down the CidrIp to your own IP address.

Once the stack has been created, I need to make it work.  In my previous post I mentioned the two routing tables.  Once I have the NAT instance in place, I create a routing table with the NAT instance as default route, and I associate this routing table with the Private subnets.

PowerShell

I use a Powershell script to create or replace the NAT instance.  This script can be called by a monitoring server, or manually.

PowerShell may seem an odd choice - while the PowerShell module for AWS is very good, I'm pretty sure it's development is behind the normal AWS CLI (Command Line Interface), that can be used from any platform.  The script would have been very easy to create in bash, python or whatever.  There are two reasons I'm using PowerShell - the first is that I quite like PowerShell, but the real reason is that I'm currently building a Windows environment.  In a future post I hope to share my script for creating a full mirrored SQL server environment.  For this you really do need PowerShell, so I'd rather give my clients a consistent tool set.

The script can be used to create an initial NAT instance, as well as to replace it, either after updating the template, to change the parameters, or if the instance stops working as expected.

To use the script, ensure you have initialised your AWS settings in Powershell as explained in a previous post.  Change to the directory where the script is saved. Upload the template to an S3 bucket (if you have a local copy, you can just use the following PowerShell commands):

New-S3Bucket <uniquebucketname>
Write-S3Object -File NATInstance.template -BucketName <uniquebucketname> -Key NatInstance.template

After this, you can use the template you have uploaded with the script.  You can get the url of the file from the AWS console, or use https://s3-eu-west-1.amazonaws.com/uniquebucketname/NATInstance.template (or similar, depending on your region).

To create an initial NAT instance that serves purely to allow outgoing internet access, make sure at least one subnet has "auto-assign Public IP" enabled, and you have created a second routing table (you don't need to have anything in the routing table). Then simply run:
./Replace-NAT.ps1 -NatTemplateURL https://.....
This should create a NAT instance.  For private subnets to start using it, associate your private subnets with this routing table.

If you need to use incoming NAT on a specific port, you can create and assign an EIP to this instance (that allows you to retain the same IP address for future use).

You can replace the instance at any time, whether because of issues, or because you want to make changes (e.g. to implement incoming NAT you can simply add the -ForwardHost and -ForwardPort parameters).  The script will, by default, replace the route and delete the previous stack (after confirming with you, or without confirmation if you specify -Force).

For more information on the script (help is very limited, but at least it will list available parameters if you don't feel like editing the script), run
Get-Help ./Replace-Nat.ps1

That's all for this post - next post I'm planning on showing an alternative way to customise a linux instance.

One step back - getting ready to use AWS

Although I've already set up a free AWS account, I'm just about to start using it to test what I'm posting about.  I also had to go and find a Windows laptop - I normally use only linux at home, but can't test my PowerShell scripts on that!  So I'll take the chance to document some basics - how do you start using AWS?

First, you have to sign up for an AWS account.  The email address you sign up with is the "root" account - unless you're the only one with access to the account, try not using this, but create an IAM (Identity and Access Management) user (one or more per person).

Make sure you save the credentials somewhere safe - this is what you'll use to sign in.  While you're there, when you click on the user, go down and click on "Manage Password" - create a strong password, this allows you to log in to the console as this user.  Rather than assigning rights to the user, I would normally create a group, assign rights to the group, and add the user to the group.  Click on Groups, Add a group, call it admin and select the policy "Administrator access".  Now click on the IAM Dashboard, and save the "IAM users sign-in link.  Please note that administrator access does not give you access to everything, a few rights have to be explicitly assigned, but administrator rights do give you the rights to edit your own access if you find you need more.

At this point IAM users won't have access to the billing and account information.  If they need it, go to Billing and account Management while still signed in to the root account (click your user name at the top right to get there).  On the billing dashboard you'll see a link to Account Management.  There "edit" the IAM user access to billing information and activate IAM access.

Once you've set up your account, to the AWS tools page, and download the PowerShell installer.  I accept and install everything (although I'm unlikely to need all the SDKs).

Also download the CLI.  Start a cmd prompt, run "aws configure" and specify your keys and region (eu-west-1).

Run PowerShell as administrator (or the PowerShell ISE, which is better).

Set-AWSCredentials -AccessKey YourAccessKey -SecretKey YourSecretKey -StoreAs MyProfileName
Initialize-AWSDefaults -ProfileName MyProfileName -Region eu-west-1
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned(Accept the warning )
Get-AWSCredentials

(This should return something, not a blank)

In future PowerShell sessions you run Initialise-AWSDefaults and it will load your default profile.  You can also add this to your PowerShell profile.

Networking in AWS – VPC, subnets and routing

The key part of your AWS infrastructure is your VPC (Virtual Private Cloud). It is important to get it right, as it can't be changed later, although you can have multiple VPCs in your AWS account. Think of the VPC as the container in which you build your whole AWS environment, so that's where I'll start this series.

Talking about the account, we already used AWS for customer facing web sites. When I started this project, there was a distinction between “front end” (customer facing web site) developers and “back end” developers. This has since changed, but it seemed reasonable to keep the distinction, so I created a second AWS account. If you do, set up an email alias to use as the root account, and consolidate the billing. I'm sure finance would rather have to deal with just the one bill...

If possible, when you create your VPC, use a CIDR in a range that does not overlap with any of your internal subnets. For the company (and group) I'm currently contracting for I used 10.128.0.0/16 – this means I could potentially have VPN set up to connect to 10.0.0.0/9 with one VPN. Use http://www.subnet-calculator.com/ to help you work it out.

Besides the normal public and private subnets, I decided also to have a defined “AD” subnet and and a “routing” subnet. Call me too careful, but if I'm going to have domain controllers in an environment, I want to control access to them very carefully. The two extra “subnets” mean I can set up a security group (what a firewall is called in AWS) to restrict access to the read only domain controllers (RODC) only to the routing subnet, not anything in the “public” subnet. Same for internal firewalls as well – I can restrict access from the private subnet, but obviously need the domain controllers to connect.

For each purpose, you create a subnet in each availability zone – in Ireland that's three availability zones, so you have 12 subnets you create. To make the firewalls etc. easier, create the subnets in easy CIDR blocks – e.g. if you have the public in 10.128.1.0/24, 10.128.2.0/24 and 10.128.3.0/24, put the private in 10.128.16.0/24 etc., so you can treat 10.128.0.0/20 as all being public.

Subnet summary:

Routing subnet – use for any routing services, such as VPN and NAT

Public subnet – for any services accessible from the internet, e.g. load balancers. No access to internal network through VPN.

Private subnet – No direct internet access, through NAT only. Access to internal networks through VPN.

AD subnet – Same as the private subnet, but can be treated different internally.

As an aside – I did not use Cloudformation to create my VPC and subnets because I'm not planning on recreating them and it's a pretty small job to do it manually, but if you're creating lots you will want to.

In the routing subnet, you will need to create a NAT instance. I will use Elastic Beanstalk to put applications in the private subnet, which fails if they don't have internet access (AWS health checks fail if the instance doesn't contact it). Hopefully in my next post I'll share something on this, including my Cloudformation template.

I also used a VPN instance (OpenSWAN on linux) to connect my internal network with AWS. More on that later – in most cases you probably want to use a VPG and Amazon's VPN. Again, a Cloudformation template and a simple script will bring it all up with no manual intervention (and replace the instance if anything goes wrong).

You'll also want to create two routing tables. The Main table has a local route to 10.128.0.0/16 and a default route to the internet gateway and probably doesn't need any modification.

To keep the private and AD subnets private, you create a routing table with a default route through the NAT instance and a route to your internal infrastructure through your VPN. Then associate this with the private and AD subnets.

Hopefully more coming soon...