Skip to content

fix: support Amazon Linux 2023 for NAT instance #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
konokenj wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: support Amazon Linux 2023 for NAT instance #81

konokenj wants to merge 1 commit into from

Conversation

@konokenj
Copy link
Contributor

@konokenj konokenj commented Feb 6, 2026

Summary

CDK's NatInstanceProviderV2 uses the route command in its default user data, which requires the net-tools package. However, Amazon Linux 2023 (the default AMI for NatInstanceProviderV2) doesn't have net-tools pre-installed, causing NAT instances to fail silently.

Problem

The default user data in CDK contains:

sudo /sbin/iptables -t nat -A POSTROUTING -o $(route | awk '/^default/{print $NF}') -j MASQUERADE

This fails on AL2023 because the route command is not available.

Solution

This change provides custom user data that uses ip route instead of route to determine the default network interface:

IFACE=$(ip route show default | awk '{print $5}')
/sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE

Reference

Testing

  • Deployed the stack with the fix and verified NAT instance works correctly
  • Application accessible via CloudFront (returns 307 redirect to sign-in page as expected)

This was referenced Feb 6, 2026
Closed
Open
@tmokmss
Copy link
Contributor

tmokmss commented Feb 6, 2026
edited
Loading

Hi, the NatInstanceProviderV2 is intended to use AL2023, so if it does not work, it's a bug.

The instance uses Amazon Linux 2023 as the operating system.

Can you open an issue in the aws-cdk repo?

@konokenj
fix: support Amazon Linux 2023 for NAT instance
e299a85 
CDK's NatInstanceProviderV2 uses the `route` command in its default
user data, which requires the net-tools package. However, Amazon Linux
2023 (the default AMI for NatInstanceProviderV2) doesn't have net-tools
pre-installed, causing NAT instances to fail silently.

This change provides custom user data that uses `ip route` instead of
`route` to determine the default network interface, ensuring NAT
functionality works correctly on AL2023.

Reference: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ec2/lib/nat.ts
@konokenj konokenj force-pushed the fix/nat-instance-al2023-support branch from f7c5f34 to e299a85 Compare February 7, 2026 01:09
@konokenj
Copy link
Contributor Author

konokenj commented Feb 7, 2026

Reported aws/aws-cdk#36912

@tmokmss
Copy link
Contributor

tmokmss commented Feb 8, 2026

The route command is included in the net-tools package (source), which is installed by default on both the AL2023 standard AMI and Minimal AMI (AL2023 image comparison) (except the container image.)

I found another case that the initialization of NAT instance fails (which you also mentioned), and the PR is in review: aws/aws-cdk#36717

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@konokenj @tmokmss