Routing through a NAT instance using Terraform
To set up routing through a NAT instance using Terraform:
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of NAT instance support includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).
Create an infrastructure
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
To create an infrastructure using Terraform:
-
Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, step 1).
-
Prepare a file with the infrastructure description:
Ready-made configurationManually-
Clone the repository with configuration files:
git clone https://github.com/yandex-cloud-examples/yc-compute-nat-instance.git
-
Go to the directory with the repository. Make sure it contains the following files:
nat-instance.tf
: New infrastructure configuration.nat-instance.auto.tfvars
: User data.
-
Create a folder for the file with the infrastructure description.
-
In the directory, create a configuration file named
nat-instance.tf
:nat-instance.tf
# Declaring variables for user-defined parameters variable "folder_id" { type = string } variable "vm_user" { type = string } variable "vm_user_nat" { type = string } variable "ssh_key_path" { type = string } # Adding other variables locals { network_name = "my-vpc" subnet_name1 = "public-subnet" subnet_name2 = "private-subnet" sg_nat_name = "nat-instance-sg" vm_test_name = "test-vm" vm_nat_name = "nat-instance" route_table_name = "nat-instance-route" } # Provider configuration terraform { required_providers { yandex = { source = "yandex-cloud/yandex" version = ">= 0.47.0" } } } provider "yandex" { folder_id = var.folder_id } # Creating a cloud network resource "yandex_vpc_network" "my-vpc" { name = local.network_name } # Creating subnets resource "yandex_vpc_subnet" "public-subnet" { name = local.subnet_name1 zone = "ru-central1-a" network_id = yandex_vpc_network.my-vpc.id v4_cidr_blocks = ["192.168.1.0/24"] } resource "yandex_vpc_subnet" "private-subnet" { name = local.subnet_name2 zone = "ru-central1-a" network_id = yandex_vpc_network.my-vpc.id v4_cidr_blocks = ["192.168.2.0/24"] route_table_id = yandex_vpc_route_table.nat-instance-route.id } # Creating a security group resource "yandex_vpc_security_group" "nat-instance-sg" { name = local.sg_nat_name network_id = yandex_vpc_network.my-vpc.id egress { protocol = "ANY" description = "any" v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" description = "ssh" v4_cidr_blocks = ["0.0.0.0/0"] port = 22 } ingress { protocol = "TCP" description = "ext-http" v4_cidr_blocks = ["0.0.0.0/0"] port = 80 } ingress { protocol = "TCP" description = "ext-https" v4_cidr_blocks = ["0.0.0.0/0"] port = 443 } } # Adding a ready-to-use VM image resource "yandex_compute_image" "ubuntu-1804-lts" { source_family = "ubuntu-1804-lts" } resource "yandex_compute_image" "nat-instance-ubuntu" { source_family = "nat-instance-ubuntu" } # Creating boot disks resource "yandex_compute_disk" "boot-disk-ubuntu" { name = "boot-disk-ubuntu" type = "network-hdd" zone = "ru-central1-a" size = "20" image_id = yandex_compute_image.ubuntu-1804-lts.id } resource "yandex_compute_disk" "boot-disk-nat" { name = "boot-disk-nat" type = "network-hdd" zone = "ru-central1-a" size = "20" image_id = yandex_compute_image.nat-instance-ubuntu.id } # Creating a VM resource "yandex_compute_instance" "test-vm" { name = local.vm_test_name platform_id = "standard-v3" zone = "ru-central1-a" resources { core_fraction = 20 cores = 2 memory = 2 } boot_disk { disk_id = yandex_compute_disk.boot-disk-ubuntu.id } network_interface { subnet_id = yandex_vpc_subnet.private-subnet.id security_group_ids = [yandex_vpc_security_group.nat-instance-sg.id] } metadata = { user-data = "#cloud-config\nusers:\n - name: ${var.vm_user}\n groups: sudo\n shell: /bin/bash\n sudo: 'ALL=(ALL) NOPASSWD:ALL'\n ssh-authorized-keys:\n - ${file("${var.ssh_key_path}")}" } } # Creating a NAT instance resource "yandex_compute_instance" "nat-instance" { name = local.vm_nat_name platform_id = "standard-v3" zone = "ru-central1-a" resources { core_fraction = 20 cores = 2 memory = 2 } boot_disk { disk_id = yandex_compute_disk.boot-disk-nat.id } network_interface { subnet_id = yandex_vpc_subnet.public-subnet.id security_group_ids = [yandex_vpc_security_group.nat-instance-sg.id] nat = true } metadata = { user-data = "#cloud-config\nusers:\n - name: ${var.vm_user_nat}\n groups: sudo\n shell: /bin/bash\n sudo: 'ALL=(ALL) NOPASSWD:ALL'\n ssh-authorized-keys:\n - ${file("${var.ssh_key_path}")}" } } # Creating a routing table and a static route resource "yandex_vpc_route_table" "nat-instance-route" { name = "nat-instance-route" network_id = yandex_vpc_network.my-vpc.id static_route { destination_prefix = "0.0.0.0/0" next_hop_address = yandex_compute_instance.nat-instance.network_interface.0.ip_address } }
-
In the directory, create a user data file named
nat-instance.auto.tfvars
:nat-instance.auto.tfvars
folder_id = "<folder_ID>" vm_user = "<VM_username>" vm_user_nat = "<NAT_instance_username>" ssh_key_path = "<path_to_public_SSH_key>"
For more information about the parameters of resources used in Terraform, see the provider documentation:
-
-
In the
nat-instance.auto.tfvars
file, set the following user-defined parameters:folder_id
: Folder ID.vm_user
: VM username.vm_user_nat
: NAT instance username.ssh_key_path
: Path to the file with a public SSH key to authenticate the user on the VM. For more information, see Creating an SSH key pair.
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
Test the NAT instance
-
Connect to the VM via a private IP address, using the NAT instance as a jump host:
ssh -J <NAT_instance_username>@<NAT_instance_public_IP_address> \ <VM_user_name>@<VM_internal_IP_address>
You can also connect to the test VM using the standard input/output redirection (
-W
flag) to forward the connection through a NAT instance:ssh -o ProxyCommand="ssh -i <NAT_key_file_path/name> -W %h:%p <NAT_username>@<NAT_public_IP_address>" \ -i <VM_key_file_path/name> <VM_user_name>@<VM_internal_IP_address>
Use this command for connection in the following cases:
- Your VM is running an OpenSSH version below 7.3.
- Your SSH keys are stored outside the default directory or have non-standard names.
-
Type yes to connect to the NAT instance and re-enter yes to connect to the test VM.
Note
When you type yes, the command may not be displayed in the terminal, but it will run anyway.
-
Make sure the test VM is connected to the internet via the public IP address of the NAT instance. Run this command:
curl ifconfig.co
If it returns the public IP address of the NAT instance, the configuration is correct.
How to delete the resources you created
To shut down the NAT instance and stop paying for the created resources:
-
Open the
nat-instance.tf
configuration file and delete the description of the new infrastructure from it. -
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-