Please change the documentation on AWS Actions Conditions EC2 for CreateNatGateway


In the documentation for EC2 for CreateNatGateway, it is mentioned that the natgateway and the subnet are required, but that the elastic-ip is optional. In reality, elastic-ip is also mandatory: when you don't add it, it will not work.

Can you please add a * behind elastic-ip, to save time for other people in the future?

===details=== This is the CloudFormation code: NATGatewayPublicWrite: Type: AWS::EC2::NatGateway Properties: ConnectivityType: public AllocationId: !GetAtt EIPNATGatewayPublicWrite.AllocationId SubnetId: !Ref PublicSubnetWrite

Relevant part of IAM permissions: - Sid: CreateNatGateway Effect: Allow Action: - ec2:CreateNatGateway - ec2:CreateTags Resource: - !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:natgateway/" - !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:subnet/"

When you don't add - !Sub "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:elastic-ip/*" to the resources, the CloudFormation code will fail.

Thx in advance,


1 回答

Elastic Ip would be required for public nat gateway only, it's not required when you create private nat gateway, hence it's not mandatory.

NAT Gateway with connectivity type set to private a.k.a. private nat gateway, does not require EIP and you do not need to attach an internet gateway with your VPC, hence elastic ip wouldn't be required for private nat gateway.

In your case, EIP is required, because you are creating public nat gateway.

Please refer for more details.

Enter image description here

Hope this explanation helps.

Comment here if you have additional questions, happy to help.


profile pictureAWS
已回答 10 个月前

您未登录。 登录 发布回答。