Skip to content
This repository was archived by the owner on Jul 20, 2024. It is now read-only.

Conversation

@seagyn
Copy link

@seagyn seagyn commented Nov 2, 2023

Adds the ability to set the protocol for egress out of the NAT instance. The main driver for this is something like Tailscale which requires the ability to open an outbound UDP connection to get direct connectivity to other nodes.

It might be worth changing this to only have options for "tcp" or "all". Can't imagine a "udp" only NAT but maybe someone will want that.

@hostmaster
Copy link

It would be a very useful feature because tcp seems very restrictive. I believeall would be preferred in the vast majority of use cases. I run into the same issue, we need UDP and ICMP.

There is a duplicated PR about the same problem #56 It's not merged yet.

@seagyn
Copy link
Author

seagyn commented Nov 9, 2023

@hostmaster after doing this PR( we realised there is an output for the SG id which you can use to create a security group rule to open the SG up further.

@hostmaster
Copy link

@seagyn thank you for sharing. I would prefer an egress rule properly configured in the first place

@seagyn
Copy link
Author

seagyn commented Nov 9, 2023

@hostmaster us too but at least this can unblock it (also only a single extra resource in TF).

@morganrowse
Copy link

For reference, add this below the module

resource "aws_security_group_rule" "udp_out" {
  security_group_id = module.nat.sg_id
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  type              = "egress"
  cidr_blocks       = ["0.0.0.0/0"]
  ipv6_cidr_blocks  = ["::/0"]
}

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants