amazon-ssm-agent VS fck-nat

Don't overlook SSM <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-...> which doesn't require sshd nor public access to get onto a machine and one can opt in to a bunch of audit logging if that's your jam. It's just a small bonus that one can also hop onto an instance from the AWS Console when using SSM, since it is websocket based and not "ssh from the browser"

The agent is Apache 2 if one wanted to build, enhance, or audit what it does: https://github.com/aws/amazon-ssm-agent#readme as is the local binary that awscli uses for the websocket handshaking: https://github.com/aws/session-manager-plugin#readme

There’s no toggle for it as RunShellScript is hard coded to use the sh shell in the agent source code. However you can modify your script to check if it’s running bash and if it’s not then re-execute with bash. See this feature request for a shell toggle, with example code. https://github.com/aws/amazon-ssm-agent/issues/46

Java tends to be the default language outside of specific use cases where other languages fit better, e.g. on-host agents like the SSM agent will be written in something like Go because it's compiled and hence easier to distribute. But server code typically is Java.

... ... Ping ECS Agent registered successfully! Container instance arn: "arn:aws:ecs:eu-west-1:704533066374:container-instance/ecs-anywhere-ec2-mydcecsclusterBB109425-r7l2mKClssuV/8dfb8700d9a1460dad403a321db6b5b9" You can check your ECS cluster here https://console.aws.amazon.com/ecs/home?region=eu-west-1#/clusters/ecs-anywhere-ec2-mydcecsclusterBB109425-r7l2mKClssuV # ok ########################## ########################## This script installed three open source packages that all use Apache License 2.0. You can view their license information here: - ECS Agent https://github.com/aws/amazon-ecs-agent/blob/master/LICENSE - SSM Agent https://github.com/aws/amazon-ssm-agent/blob/master/LICENSE - Docker engine https://github.com/moby/moby/blob/master/LICENSE ##########################

https://github.com/AndrewGuenther/fck-nat/blob/main/service/... this is the bit you need to understand.

You've got the gist of it, but you probably want to read about NAT and iptables.

The source destination check is important - but implementation specific here. Google Cloud does it like this - https://cloud.google.com/vpc/docs/using-routes#canipforward

This entire thread is about the additional costs imposed on a publicly accessible IP[1].

Granted, there are other (but similarly expensive) workarounds such as NAT gateways[2] for outbound connectivity or the cheaper NAT instance method which AWS doesn't support any more, but there are alternatives[3]. However, for use cases requiring inbound connectivity such as setting up websites on EC2 instances, or using an ELB which need internet access, these charges definitely rack up.

[1] https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address...

[2] https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gat...

[3] https://fck-nat.dev

Weird, I was just looking into this yesterday and found https://fck-nat.dev/

If you find yourself needing NAT Gateway after all, I recommend https://fck-nat.dev/ - the name speaks for itself. If you use CDK, using it in place of managed NAT Gateway is dead simple.

There are tradeoffs for using a managed NAT Gateway that are usually not considered. It's sort of a roller coaster, but the introduction for the fck-nat project goes in to the most obvious tradeoffs

May I suggest https://fck-nat.dev/ ?

For those unaware: https://fck-nat.dev/

I maintain a NAT instance AMI that works on both ARM and x86: https://fck-nat.dev/