Open seagyn opened 10 months ago
hostmaster
commented
10 months ago It would be a very useful feature because tcp seems very restrictive. I believeall would be preferred in the vast majority of use cases. I run into the same issue, we need UDP and ICMP.
There is a duplicated PR about the same problem https://github.com/int128/terraform-aws-nat-instance/pull/56 It's not merged yet.
seagyn
commented
10 months ago @hostmaster after doing this PR( we realised there is an output for the SG id which you can use to create a security group rule to open the SG up further.
hostmaster
commented
10 months ago @seagyn thank you for sharing. I would prefer an egress rule properly configured in the first place
seagyn
commented
10 months ago @hostmaster us too but at least this can unblock it (also only a single extra resource in TF).
morganrowse
commented
10 months ago For reference, add this below the module
resource "aws_security_group_rule" "udp_out" {
security_group_id = module.nat.sg_id
from_port = 0
to_port = 0
protocol = "-1"
type = "egress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
Adds the ability to set the protocol for egress out of the NAT instance. The main driver for this is something like Tailscale which requires the ability to open an outbound UDP connection to get direct connectivity to other nodes.
It might be worth changing this to only have options for "tcp" or "all". Can't imagine a "udp" only NAT but maybe someone will want that.