Switch to NAT Gateway

Author: farski

spire/templates/apps/dovetail-counts.yml

@@ -128,7 +128,7 @@ Resources:
         prx:dev:application: Counts
       Timeout: 30
       VpcConfig:
-        Ipv6AllowedForDualStack: true
+        # Ipv6AllowedForDualStack: true
         SecurityGroupIds:
           - !GetAtt CountsFunctionSecurityGroup.GroupId
           - !Ref KinesisStreamsEndpointAccessSecurityGroupId

spire/templates/shared-vpc.yml

@@ -166,6 +166,7 @@ Resources:
         VpcIpv6CidrBlocks: !Join [",", !GetAtt Vpc.Ipv6CidrBlocks]
         AvailabilityZoneSelectorServiceToken: !Ref AvailabilityZoneSelectorServiceToken
         NetworkAclName: !GetAtt PrivateNetworkAclStack.Outputs.NetworkAclName
+        Subnet1NatGatewayId: !GetAtt PublicSubnetsStack.Outputs.Subnet1NatGatewayId
       Tags:
         - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
         - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }

spire/templates/shared-vpc/private-subnets.yml

@@ -15,6 +15,7 @@ Parameters:
   VpcIpv6CidrBlocks: { Type: CommaDelimitedList }
   AvailabilityZoneSelectorServiceToken: { Type: String }
   NetworkAclName: { Type: String }
+  Subnet1NatGatewayId: { Type: String }
 
 Conditions:
   EnableNestedChangeSetScrubbingResources: !Equals [!Ref NestedChangeSetScrubbingResourcesState, Enabled]
@@ -28,19 +29,19 @@ Resources:
       ServiceToken: !Ref AvailabilityZoneSelectorServiceToken
 
   # Egress-only internet gateway
-  EgressOnlyInternetGateway:
-    Type: AWS::EC2::EgressOnlyInternetGateway
-    Properties:
-      Tags:
-        - { Key: Name, Value: !Sub "${RootStackName}_shared_private" }
-        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
-        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
-        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
-        - { Key: prx:cloudformation:root-stack-name, Value: !Ref RootStackName }
-        - { Key: prx:cloudformation:root-stack-id, Value: !Ref RootStackId }
-        - { Key: prx:ops:environment, Value: !Ref EnvironmentType }
-        - { Key: prx:dev:application, Value: Common }
-      VpcId: !Ref VpcId
+  # EgressOnlyInternetGateway:
+  #   Type: AWS::EC2::EgressOnlyInternetGateway
+  #   Properties:
+  #     Tags:
+  #       - { Key: Name, Value: !Sub "${RootStackName}_shared_private" }
+  #       - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+  #       - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+  #       - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+  #       - { Key: prx:cloudformation:root-stack-name, Value: !Ref RootStackName }
+  #       - { Key: prx:cloudformation:root-stack-id, Value: !Ref RootStackId }
+  #       - { Key: prx:ops:environment, Value: !Ref EnvironmentType }
+  #       - { Key: prx:dev:application, Value: Common }
+  #     VpcId: !Ref VpcId
 
   # Routing for private subnets. A subnet being associated with this route
   # table is what makes it a private subnet, since there is no internet gateway
@@ -59,14 +60,12 @@ Resources:
         - { Key: prx:ops:environment, Value: !Ref EnvironmentType }
         - { Key: prx:dev:application, Value: Common }
 
-  # Add a Egress-only Internet Gateway route, to allow resources in private subnets
-  # to access the internet without being exposed to the internet directly
-  PrivateRouteTableEgressOnlyRoute:
+  PrivateRouteTableNatRoute:
     Type: AWS::EC2::Route
     Properties:
       RouteTableId: !Ref PrivateRouteTable
       DestinationIpv6CidrBlock: ::/0
-      EgressOnlyInternetGatewayId: !Ref EgressOnlyInternetGateway
+      NatGatewayId: !Ref Subnet1NatGatewayId
 
   # Private subnets
   PrivateSubnet1:

spire/templates/shared-vpc/public-subnets.yml

@@ -46,6 +46,39 @@ Resources:
       InternetGatewayId: !Ref InternetGateway
       VpcId: !Ref VpcId
 
+  # NAT Gateway in the public subnet so it can access the internet, which will
+  # be used by resources in the private subnet so they can reach the internet
+  Subnet1NatGatewayElasticIp:
+    Type: AWS::EC2::EIP
+    Properties:
+      Domain: vpc
+      Tags:
+        - { Key: Name, Value: !Sub "${RootStackName}_nat-gateway" }
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:cloudformation:root-stack-name, Value: !Ref RootStackName }
+        - { Key: prx:cloudformation:root-stack-id, Value: !Ref RootStackId }
+        - { Key: prx:ops:environment, Value: !Ref EnvironmentType }
+        - { Key: prx:dev:application, Value: Common }
+  Subnet1NatGateway:
+    Type: AWS::EC2::NatGateway
+    Properties:
+      AllocationId: !GetAtt Subnet1NatGatewayElasticIp.AllocationId
+      ConnectivityType: public
+      MaxDrainDurationSeconds: 350
+      SubnetId: !Ref PublicSubnet1
+      Tags:
+        - { Key: Name, Value: !Sub "${RootStackName}_nat-gateway" }
+        - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
+        - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }
+        - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId }
+        - { Key: prx:cloudformation:root-stack-name, Value: !Ref RootStackName }
+        - { Key: prx:cloudformation:root-stack-id, Value: !Ref RootStackId }
+        - { Key: prx:ops:environment, Value: !Ref EnvironmentType }
+        - { Key: prx:dev:application, Value: Common }
+      VpcId: !Ref VpcId
+
   # Routing for public subnets. A subnet being associated with this route table
   # is what makes it a public subnet, since there's an internet gateway
   # associated with the route table.
@@ -186,6 +219,9 @@ Outputs:
     Description: The name of the internet gateway
     Value: !Ref InternetGateway
 
+  Subnet1NatGatewayId:
+    Value: !Ref Subnet1NatGateway
+
   Subnet1Id:
     Description: ID of public subnet 1
     Value: !Ref PublicSubnet1