01 Run allocate-address command (OSX/Linux/UNIX) to create a new Elastic IP address (EIP) in the selected AWS region:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 allocate-address
--region us-east-1
--domain vpc
02 The command output should return the metadata available for the new EIP:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
"PublicIp": "10.10.0.5",
"Domain": "vpc",
"AllocationId": "eipalloc-abcd1234"
}
03 Run describe-vpcs command (OSX/Linux/UNIX) with custom query filters to list the IDs of the VPC networks available in the selected AWS region:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 describe-vpcs
--region us-east-1
--query 'Vpcs[*].VpcId'
04 The command output should return the ID of each Virtual Private Cloud (VPC) available:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
"vpc-abcd1234",
"vpc-1234abcd"
]
05 Run describe-subnets command (OSX/Linux/UNIX) to list the subnets (public and private) created for the VPC that you want to associate with a Managed NAT Gateway:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 describe-subnets
--region us-east-1
--filters "Name=vpc-id,Values=vpc-abcd1234"
06 The command output should return the metadata for each VPC subnet in use:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
"Subnets": [
{
"VpcId": "vpc-abcd1234",
"Tags": [
{
"Value": "Public subnet",
"Key": "Name"
}
],
"CidrBlock": "10.0.0.0/24",
"MapPublicIpOnLaunch": false,
"DefaultForAz": false,
"State": "available",
"AvailabilityZone": "us-east-1a",
"SubnetId": "subnet-12341234",
"AvailableIpAddressCount": 251
},
{
"VpcId": "vpc-abcd1234",
"Tags": [
{
"Value": "Private subnet",
"Key": "Name"
}
],
"CidrBlock": "10.0.1.0/24",
"MapPublicIpOnLaunch": false,
"DefaultForAz": false,
"State": "available",
"AvailabilityZone": "us-east-1b",
"SubnetId": "subnet-abcdabcd",
"AvailableIpAddressCount": 251
}
]
}
07 Run create-nat-gateway command (OSX/Linux/UNIX) to create the new Managed NAT Gateway in the specified public VPC subnet, using the Elastic IP address created earlier:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws aws ec2 create-nat-gateway
--region us-east-1
--subnet-id subnet-12341234
--allocation-id eipalloc-abcd1234
08 The command output should return the metadata available for the new gateway:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
"NatGateway": {
"NatGatewayAddresses": [
{
"AllocationId": "eipalloc-abcd1234"
}
],
"VpcId": "vpc-abcd1234",
"State": "pending",
"NatGatewayId": "nat-01234abcd1234abcd",
"SubnetId": "subnet-12341234",
"CreateTime": "2016-04-26T16:19:31.050Z"
}
}
09 Run create-route command (OSX/Linux/UNIX) using the ID of VPC main route table as the identifier parameter to create a new route that matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes the traffic to the newly created NAT Gateway:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 create-route
--region us-east-1
--route-table-id rtb-0aaaabbbbccccdddd
--destination-cidr-block 0.0.0.0/0
--gateway-id nat-01234abcd1234abcd
10 The command output should return true if the request succeeds, otherwise, it should return an error:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
"Return": true
}
11 (Optional) To replace your existing NAT instance with the new Managed NAT Gateway, run replace-route command (OSX/Linux/UNIX) using 0.0.0.0/0 for destination (the command does not produce an output):
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
aws ec2 replace-route
--region us-east-1
--route-table-id rtb-0aaaabbbbccccdddd
--destination-cidr-block 0.0.0.0/0
--nat-gateway-id nat-01234abcd1234abcd
12 Repeat steps no. 1 – 11 for each Virtual Private Cloud (VPC) available in the selected AWS region.
13 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.