Routing through a NAT instance using Terraform

To set up routing through a NAT instance using Terraform:

1. Prepare your cloud.
2. Create an infrastructure.
3. Test the NAT instance.

If you no longer need the resources you created, delete them.

Getting startedGetting started

Sign up for Yandex Cloud and create a billing account:

1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The cost of NAT instance support includes:

• Fee for continuously running VMs (see Yandex Compute Cloud pricing).
• Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).

Create an infrastructureCreate an infrastructure

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

To create an infrastructure using Terraform:

1. Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, step 1).

2. Prepare a file with the infrastructure description:

   Ready-made configuration

   Manually

   1. Clone the repository with configuration files:

      git clone https://github.com/yandex-cloud-examples/yc-compute-nat-instance.git
      

   2. Go to the directory with the repository. Make sure it contains the following files:

      • nat-instance.tf: New infrastructure configuration.
      • nat-instance.auto.tfvars: User data.

   1. Create a folder for the file with the infrastructure description.

   2. In the directory, create a configuration file named nat-instance.tf:

      nat-instance.tf

      # Declaring variables for user-defined parameters
      
      variable "folder_id" {
        type = string
      }
      
      variable "vm_user" {
        type = string
      }
      
      variable "vm_user_nat" {
        type = string
      }
      
      variable "ssh_key_path" {
        type = string
      }
      
      # Adding other variables
      
      locals {
        network_name     = "my-vpc"
        subnet_name1     = "public-subnet"
        subnet_name2     = "private-subnet"
        sg_nat_name      = "nat-instance-sg"
        vm_test_name     = "test-vm"
        vm_nat_name      = "nat-instance"
        route_table_name = "nat-instance-route"
      }
      
      # Provider configuration
      
      terraform {
        required_providers {
          yandex = {
            source  = "yandex-cloud/yandex"
            version = ">= 0.47.0"
          }
        }
      }
      
      provider "yandex" {
        folder_id = var.folder_id
      }
      
      # Creating a cloud network
      
      resource "yandex_vpc_network" "my-vpc" {
        name = local.network_name
      }
      
      # Creating subnets
      
      resource "yandex_vpc_subnet" "public-subnet" {
        name           = local.subnet_name1
        zone           = "ru-central1-a"
        network_id     = yandex_vpc_network.my-vpc.id
        v4_cidr_blocks = ["192.168.1.0/24"]
      }
      
      resource "yandex_vpc_subnet" "private-subnet" {
        name           = local.subnet_name2
        zone           = "ru-central1-a"
        network_id     = yandex_vpc_network.my-vpc.id
        v4_cidr_blocks = ["192.168.2.0/24"]
        route_table_id = yandex_vpc_route_table.nat-instance-route.id
      }
      
      # Creating a security group
      
      resource "yandex_vpc_security_group" "nat-instance-sg" {
        name       = local.sg_nat_name
        network_id = yandex_vpc_network.my-vpc.id
      
        egress {
          protocol       = "ANY"
          description    = "any"
          v4_cidr_blocks = ["0.0.0.0/0"]
        }
      
        ingress {
          protocol       = "TCP"
          description    = "ssh"
          v4_cidr_blocks = ["0.0.0.0/0"]
          port           = 22
        }
      
        ingress {
          protocol       = "TCP"
          description    = "ext-http"
          v4_cidr_blocks = ["0.0.0.0/0"]
          port           = 80
        }
      
        ingress {
          protocol       = "TCP"
          description    = "ext-https"
          v4_cidr_blocks = ["0.0.0.0/0"]
          port           = 443
        }
      }
      
      # Adding a ready-to-use VM image
      
      resource "yandex_compute_image" "ubuntu-1804-lts" {
        source_family = "ubuntu-1804-lts"
      }
      
      resource "yandex_compute_image" "nat-instance-ubuntu" {
        source_family = "nat-instance-ubuntu"
      }
      
      # Creating boot disks
      
      resource "yandex_compute_disk" "boot-disk-ubuntu" {
        name     = "boot-disk-ubuntu"
        type     = "network-hdd"
        zone     = "ru-central1-a"
        size     = "20"
        image_id = yandex_compute_image.ubuntu-1804-lts.id
      }
      
      resource "yandex_compute_disk" "boot-disk-nat" {
        name     = "boot-disk-nat"
        type     = "network-hdd"
        zone     = "ru-central1-a"
        size     = "20"
        image_id = yandex_compute_image.nat-instance-ubuntu.id
      }
      
      # Creating a VM
      
      resource "yandex_compute_instance" "test-vm" {
        name        = local.vm_test_name
        platform_id = "standard-v3"
        zone        = "ru-central1-a"
      
        resources {
          core_fraction = 20
          cores         = 2
          memory        = 2
        }
      
        boot_disk {
          disk_id = yandex_compute_disk.boot-disk-ubuntu.id
        }
      
        network_interface {
          subnet_id          = yandex_vpc_subnet.private-subnet.id
          security_group_ids = [yandex_vpc_security_group.nat-instance-sg.id]
        }
      
        metadata = {
          user-data = "#cloud-config\nusers:\n  - name: ${var.vm_user}\n    groups: sudo\n    shell: /bin/bash\n    sudo: 'ALL=(ALL) NOPASSWD:ALL'\n    ssh-authorized-keys:\n      - ${file("${var.ssh_key_path}")}"
        }
      }
      
      # Creating a NAT instance
      
      resource "yandex_compute_instance" "nat-instance" {
        name        = local.vm_nat_name
        platform_id = "standard-v3"
        zone        = "ru-central1-a"
      
        resources {
          core_fraction = 20
          cores         = 2
          memory        = 2
        }
      
        boot_disk {
          disk_id = yandex_compute_disk.boot-disk-nat.id
        }
      
        network_interface {
          subnet_id          = yandex_vpc_subnet.public-subnet.id
          security_group_ids = [yandex_vpc_security_group.nat-instance-sg.id]
          nat                = true
        }
      
        metadata = {
          user-data = "#cloud-config\nusers:\n  - name: ${var.vm_user_nat}\n    groups: sudo\n    shell: /bin/bash\n    sudo: 'ALL=(ALL) NOPASSWD:ALL'\n    ssh-authorized-keys:\n      - ${file("${var.ssh_key_path}")}"
        }
      }
      
      # Creating a routing table and a static route
      
      resource "yandex_vpc_route_table" "nat-instance-route" {
        name       = "nat-instance-route"
        network_id = yandex_vpc_network.my-vpc.id
        static_route {
          destination_prefix = "0.0.0.0/0"
          next_hop_address   = yandex_compute_instance.nat-instance.network_interface.0.ip_address
        }
      }
      

   3. In the directory, create a user data file named nat-instance.auto.tfvars:

      nat-instance.auto.tfvars

      folder_id    = "<folder_ID>"
      vm_user      = "<VM_username>"
      vm_user_nat  = "<NAT_instance_username>"
      ssh_key_path = "<path_to_public_SSH_key>"
      

   For more information about the parameters of resources used in Terraform, see the provider documentation:

   • Network: yandex_vpc_network.
   • Subnets: yandex_vpc_subnet.
   • Security groups: yandex_vpc_security_group.
   • Image: yandex_compute_image.
   • Disk: yandex_compute_disk.
   • VM instance: yandex_compute_instance.
   • Route table: yandex_vpc_route_table.

3. In the nat-instance.auto.tfvars file, set the following user-defined parameters:

   • folder_id: Folder ID.
   • vm_user: VM username.
   • vm_user_nat: NAT instance username.
   • ssh_key_path: Path to the file with a public SSH key to authenticate the user on the VM. For more information, see Creating an SSH key pair.

4. Create resources:

   1. In the terminal, change to the folder where you edited the configuration file.

   2. Make sure the configuration file is correct using the command:

      terraform validate
      

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.
      

   3. Run the command:

      terraform plan
      

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

   4. Apply the configuration changes:

      terraform apply
      

   5. Confirm the changes: type yes in the terminal and press Enter.

Test the NAT instanceTest the NAT instance

1. Connect to the VM via a private IP address, using the NAT instance as a jump host:

   ssh -J <NAT_instance_username>@<NAT_instance_public_IP_address> \
     <VM_user_name>@<VM_internal_IP_address>
   

   You can also connect to the test VM using the standard input/output redirection (-W flag) to forward the connection through a NAT instance:

   ssh -o ProxyCommand="ssh -i <NAT_key_file_path/name> -W %h:%p <NAT_username>@<NAT_public_IP_address>" \
     -i <VM_key_file_path/name> <VM_user_name>@<VM_internal_IP_address>
   

   Use this command for connection in the following cases:

   • Your VM is running an OpenSSH version below 7.3.
   • Your SSH keys are stored outside the default directory or have non-standard names.

2. Type yes to connect to the NAT instance and re-enter yes to connect to the test VM.

   Note

   When you type yes, the command may not be displayed in the terminal, but it will run anyway.

3. Make sure the test VM is connected to the internet via the public IP address of the NAT instance. Run this command:

   curl ifconfig.co
   

   If it returns the public IP address of the NAT instance, the configuration is correct.

How to delete the resources you createdHow to delete the resources you created

To shut down the NAT instance and stop paying for the created resources:

1. Open the nat-instance.tf configuration file and delete the description of the new infrastructure from it.

2. Apply the changes:

   1. In the terminal, change to the folder where you edited the configuration file.

   2. Make sure the configuration file is correct using the command:

      terraform validate
      

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.
      

   3. Run the command:

      terraform plan
      

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

   4. Apply the configuration changes:

      terraform apply
      

   5. Confirm the changes: type yes in the terminal and press Enter.

See alsoSee also

• Routing through a NAT instance using the management console