【AWS】NATInstanceのルーティングに失敗する時は送信元/送信先の変更チェックを確認する #CloudFormation

f:id:yokoyantech:20181207175720p:plain

困ったこと

NATインスタンスをCloudFormationで作成
- PrivateSubnetからapt-add-repositoryが動かない
  - NAT経由で外に出れないように見える

原因

送信元/送信先の変更チェック が有効になっているため。

確認

マネジメントコンソールから作る場合は、送信元/送信先の変更チェック を無効にする設定が必須。 CloudFormationで設定する場合は、SourceDestCheckで指定する。

CloudFormationテンプレート例

NATinstance:
  Type: 'AWS::EC2::Instance'
  Properties:
    DisableApiTermination: 'false'
    InstanceInitiatedShutdownBehavior: stop
    ImageId: ami-17944271
    InstanceType: t2.micro
    KeyName: !Ref KeyPairName
    Monitoring: 'false'
    Tags:
      - Key: Name
        Value: NAT instance
    NetworkInterfaces:
      - DeleteOnTermination: 'true'
        Description: Primary network interface
        DeviceIndex: 0
        SubnetId:
          Fn::ImportValue:
            !Sub "${ENV}-PublicSubnet1a"
        GroupSet:
          - !Ref SecurityGroupFromVPC
          - Fn::ImportValue:
              !Sub "${ENV}-SecurityGroupFromSystemIntegrator"
    # NATインスタンスには必須の設定。falseにしないとPrivateSubnetからルーティングできない。
    SourceDestCheck: false

疎通確認

PrivateSubnet上のEC2インスタンスからping実行
無事に疎通できたことを確認

$ ping www.google.co.jp
PING www.google.co.jp (172.217.31.163) 56(84) bytes of data.
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=1 ttl=43 time=4.47 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=2 ttl=43 time=4.45 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=3 ttl=43 time=4.46 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=4 ttl=43 time=4.26 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=5 ttl=43 time=4.29 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=6 ttl=43 time=4.24 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=7 ttl=43 time=4.40 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=8 ttl=43 time=4.34 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=9 ttl=43 time=4.26 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=10 ttl=43 time=4.29 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=11 ttl=43 time=4.47 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=12 ttl=43 time=4.43 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=13 ttl=43 time=4.46 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=14 ttl=43 time=4.34 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=15 ttl=43 time=4.46 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=16 ttl=43 time=4.29 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=17 ttl=43 time=4.33 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=18 ttl=43 time=4.26 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=19 ttl=43 time=4.30 ms
64 bytes from nrt12s22-in-f3.1e100.net (172.217.31.163): icmp_seq=20 ttl=43 time=4.32 ms
^C
--- www.google.co.jp ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19031ms
rtt min/avg/max/mdev = 4.242/4.360/4.473/0.087 ms