Please change the documentation on AWS Actions Conditions EC2 for CreateNatGateway


In the documentation for EC2 for CreateNatGateway, it is mentioned that the natgateway and the subnet are required, but that the elastic-ip is optional. In reality, elastic-ip is also mandatory: when you don't add it, it will not work.

Can you please add a * behind elastic-ip, to save time for other people in the future?

===details=== This is the CloudFormation code: NATGatewayPublicWrite: Type: AWS::EC2::NatGateway Properties: ConnectivityType: public AllocationId: !GetAtt EIPNATGatewayPublicWrite.AllocationId SubnetId: !Ref PublicSubnetWrite

Relevant part of IAM permissions: - Sid: CreateNatGateway Effect: Allow Action: - ec2:CreateNatGateway - ec2:CreateTags Resource: - !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:natgateway/" - !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/"

When you don't add - !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:elastic-ip/*" to the resources, the CloudFormation code will fail.

Thx in advance,


1 Answer

Elastic Ip would be required for public nat gateway only, it's not required when you create private nat gateway, hence it's not mandatory.

NAT Gateway with connectivity type set to private a.k.a. private nat gateway, does not require EIP and you do not need to attach an internet gateway with your VPC, hence elastic ip wouldn't be required for private nat gateway.

In your case, EIP is required, because you are creating public nat gateway.

Please refer for more details.

Enter image description here

Hope this explanation helps.

Comment here if you have additional questions, happy to help.


profile pictureAWS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions