fix: support Amazon Linux 2023 for NAT instance (#81)

konokenj · web-flow · commit 0c41aa8ec194 · 2026-03-19T20:15:17.000+09:00
## Summary CDK's `NatInstanceProviderV2` uses the `route` command in its default user data, which requires the `net-tools` package. However, Amazon Linux 2023 (the default AMI for `NatInstanceProviderV2`) doesn't have `net-tools` pre-installed, causing NAT instances to fail silently. ## Problem The default user data in CDK contains: ```bash sudo /sbin/iptables -t nat -A POSTROUTING -o $(route | awk '/^default/{print $NF}') -j MASQUERADE ``` This fails on AL2023 because the `route` command is not available. ## Solution This change provides custom user data that uses `ip route` instead of `route` to determine the default network interface: ```bash IFACE=$(ip route show default | awk '{print $5}') /sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE ``` ## Reference - CDK source code: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ec2/lib/nat.ts ## Testing - Deployed the stack with the fix and verified NAT instance works correctly - Application accessible via CloudFront (returns 307 redirect to sign-in page as expected)
diff --git a/cdk/lib/main-stack.ts b/cdk/lib/main-stack.ts
@@ -4,7 +4,7 @@ import { Construct } from 'constructs';
 import { AsyncJob } from './constructs/async-job';
 import { Auth } from './constructs/auth/';
 import { Database } from './constructs/database';
-import { InstanceClass, InstanceSize, InstanceType, NatProvider, Vpc } from 'aws-cdk-lib/aws-ec2';
+import { InstanceClass, InstanceSize, InstanceType, NatProvider, UserData, Vpc } from 'aws-cdk-lib/aws-ec2';
 import { HostedZone } from 'aws-cdk-lib/aws-route53';
 import { ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
 import { Webapp } from './constructs/webapp';
@@ -56,12 +56,31 @@ export class MainStack extends Stack {
       autoDeleteObjects: true,
     });
 
+    // Custom user data for NAT instance to support Amazon Linux 2023.
+    // CDK's default user data uses `route` command which requires net-tools package,
+    // but AL2023 doesn't have net-tools pre-installed. We use `ip route` instead.
+    // Retry yum install to handle RPM lock conflicts during boot.
+    const natUserData = UserData.forLinux();
+    natUserData.addCommands(
+      // Retry yum install up to 5 times with 10 second intervals
+      'for i in {1..5}; do yum install iptables-services -y && break || sleep 10; done',
+      'systemctl enable iptables',
+      'systemctl start iptables',
+      'echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/custom-ip-forwarding.conf',
+      'sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf',
+      "IFACE=$(ip route show default | awk '{print $5}')",
+      '/sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE',
+      '/sbin/iptables -F FORWARD',
+      'service iptables save',
+    );
+
     const vpc = new Vpc(this, `Vpc`, {
       ...(useNatInstance
         ? {
             natGatewayProvider: NatProvider.instanceV2({
               instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.NANO),
               associatePublicIpAddress: true,
+              userData: natUserData,
             }),
             natGateways: 1,
           }
diff --git a/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap b/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap
@@ -2712,14 +2712,15 @@ exports.handler = async function (event, context) {
         ],
         "UserData": {
           "Fn::Base64": "#!/bin/bash
-yum install iptables-services -y
+for i in {1..5}; do yum install iptables-services -y && break || sleep 10; done
 systemctl enable iptables
 systemctl start iptables
 echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/custom-ip-forwarding.conf
-sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
-sudo /sbin/iptables -t nat -A POSTROUTING -o $(route | awk '/^default/{print $NF}') -j MASQUERADE
-sudo /sbin/iptables -F FORWARD
-sudo service iptables save",
+sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
+IFACE=$(ip route show default | awk '{print $5}')
+/sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
+/sbin/iptables -F FORWARD
+service iptables save",
         },
       },
       "Type": "AWS::EC2::Instance",
diff --git a/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap b/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap
@@ -2544,14 +2544,15 @@ exports[`Snapshot test 2`] = `
         ],
         "UserData": {
           "Fn::Base64": "#!/bin/bash
-yum install iptables-services -y
+for i in {1..5}; do yum install iptables-services -y && break || sleep 10; done
 systemctl enable iptables
 systemctl start iptables
 echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/custom-ip-forwarding.conf
-sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
-sudo /sbin/iptables -t nat -A POSTROUTING -o $(route | awk '/^default/{print $NF}') -j MASQUERADE
-sudo /sbin/iptables -F FORWARD
-sudo service iptables save",
+sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
+IFACE=$(ip route show default | awk '{print $5}')
+/sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
+/sbin/iptables -F FORWARD
+service iptables save",
         },
       },
       "Type": "AWS::EC2::Instance",
