Parameters: vpc: Type: String Default: "vpc-121212121212121212" subnet: Type: String Default: "subnet-121212121212121212" CIDR: Type: String Default: "10.0.0.0/16" Resources: FckNatInterface: Type: AWS::EC2::NetworkInterface Properties: SubnetId: !Sub "${subnet}" GroupSet: - Fn::GetAtt: - NatSecurityGroup - GroupId SourceDestCheck: false FckNatAsgInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - Ref: NatRole FckNatLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: FckNatLaunchTemplate LaunchTemplateData: ImageId: ami-05b6d5a2e26f13c93 InstanceType: t4g.nano IamInstanceProfile: Arn: !GetAtt FckNatAsgInstanceProfile.Arn SecurityGroups: - Fn::GetAtt: - NatSecurityGroup - GroupId UserData: Fn::Base64: Fn::Join: - "" - - |- #!/bin/bash echo "eni_id= - Ref: FckNatInterface - |- " >> /etc/fck-nat.conf service fck-nat restart DependsOn: - NatRole FckNatAsg: Type: AWS::AutoScaling::AutoScalingGroup Properties: MaxSize: "1" MinSize: "1" DesiredCapacity: "1" LaunchTemplateId: Ref: FckNatLaunchTemplate VPCZoneIdentifier: - !Sub "${subnet}" UpdatePolicy: AutoScalingScheduledAction: IgnoreUnmodifiedGroupSizeProperties: true NatSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security Group for NAT SecurityGroupIngress: - CidrIp: !Sub "${CIDR}" IpProtocol: "-1" SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" VpcId: !Sub "${vpc}" NatRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ec2.amazonaws.com Version: "2012-10-17" Policies: - PolicyDocument: Statement: - Action: - ec2:AttachNetworkInterface - ec2:ModifyNetworkInterfaceAttribute Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: attachNatEniPolicy - PolicyDocument: Statement: - Action: - ec2:AssociateAddress - ec2:DisassociateAddress Effect: Allow Resource: "*" Version: "2012-10-17" PolicyName: associateNatAddressPolicy