search

RaJiska / terraform-aws-fck-nat

Terraform module for fck-nat
https://registry.terraform.io/modules/RaJiska/fck-nat/aws/latest
MIT License
71 stars 37 forks source link

Question: why two private IPv4 addresses? #21

Closed madtechsupport closed 5 months ago

madtechsupport commented 6 months ago

Hi,

I've set up and am using fck-nat via the Terraform module. My module config looks like this:

  module "fck-nat" {
  source = "git::https://github.com/RaJiska/terraform-aws-fck-nat.git?ref=ab69ccf34629e49033f52c4e6351e188be7a1f8f"

  name      = "${local.label}-fck-nat"
  vpc_id    = aws_vpc.vpc.id
  subnet_id = aws_subnet.public_subnet01.id
  ha_mode   = false # Enables high-availability mode
  #  eip_allocation_ids = ["eipalloc-0137b6eb9d101f063"] # Allocation ID of an existing EIP / see https://github.com/RaJiska/terraform-aws-fck-nat/issues/5
  instance_type = var.instance_type

  update_route_tables = true
  route_tables_ids = {
    "private_rt" = aws_route_table.private_rt.id
  }

  tags = {
    Name = "${local.label}-fck-nat"
  }

  # To ensure proper ordering, add an explicit dependency on the Internet Gateway for the VPC.
  depends_on = [aws_internet_gateway.igw]
}

and I end up with two private IPv4 addresses against the instance:

image

and I'm not sure why. I don't think it's part of the AMI (tested by starting an instance with the AMI and I got only one private IPv4 address) and I've glanced (not studied) the module's Terraform config where it wasn't immediately obvious to me why two private IPv4 addresses are assigned.

Is there a reason why there are two IPv4 addresses assigned to the fck-nat instance when using the Terraform module?

Regards,

Warren.

RaJiska commented 6 months ago

Hi,

This is because the EC2 instance is assigned two ENIs.

The first ENI is the dynamic one which is renewed every time an instance is created and is the one to an ephemeral public IP is assigned and which is used to execute subsequent AWS API requests (e.g: self assign a static EIP if configured) and serves as outbound interface.

The second ENI is the static one and is created once by the Terraform module and is self-assigned by the instance upon boot. To be able to NAT traffic, route table needs to be configured direct traffic to your NAT instance, which in this case is the static ENI. Instead of updating the route table every time instance is created, which would be cumbersome, a static ENI is created to which the route table has the 0.0.0.0 route on. This way when your NAT instance is recreated, only the ENI has to be switch from one machine to another to redirect the traffic to be NATted from the terminated instance to the new one.

madtechsupport commented 5 months ago

Thanks, very helpful and cleared that up for me.

RaJiska commented 5 months ago

You're welcome :)