Package software.amazon.awscdk.services.ec2

Interface NatInstanceProps

All Superinterfaces:
software.amazon.jsii.JsiiSerializable
All Known Implementing Classes:
NatInstanceProps.Jsii$Proxy
@Generated(value="jsii-pacmak/1.118.0 (build 02eec31)", date="2025-11-10T13:40:04.538Z") @Stability(Stable) public interface NatInstanceProps extends software.amazon.jsii.JsiiSerializable
Properties for a NAT instance.

Example: 

 InstanceType instanceType;
 NatInstanceProviderV2 provider = NatProvider.instanceV2(NatInstanceProps.builder()
         .instanceType(instanceType)
         .defaultAllowedTraffic(NatTrafficDirection.OUTBOUND_ONLY)
         .build());
 Vpc.Builder.create(this, "TheVPC")
         .natGatewayProvider(provider)
         .build();
 provider.connections.allowFrom(Peer.ipv4("1.2.3.4/8"), Port.HTTP);

  • Method Details

    • getInstanceType

      @Stability(Stable) @NotNull InstanceType getInstanceType()
      Instance type of the NAT instance.

    • getAssociatePublicIpAddress

      @Stability(Stable) @Nullable default Boolean getAssociatePublicIpAddress()
      Whether to associate a public IP address to the primary network interface attached to this instance.

      Default: undefined - No public IP address associated

    • getCreditSpecification

      @Stability(Stable) @Nullable default CpuCredits getCreditSpecification()
      Specifying the CPU credit type for burstable EC2 instance types (T2, T3, T3a, etc).

      The unlimited CPU credit option is not supported for T3 instances with dedicated host (host) tenancy.

      Default: - T2 instances are standard, while T3, T4g, and T3a instances are unlimited.

    • getDefaultAllowedTraffic

      @Stability(Stable) @Nullable default NatTrafficDirection getDefaultAllowedTraffic()
      Direction to allow all traffic through the NAT instance by default.

      By default, inbound and outbound traffic is allowed.

      If you set this to another value than INBOUND_AND_OUTBOUND, you must configure the NAT instance's security groups in another way, either by passing in a fully configured Security Group using the securityGroup property, or by configuring it using the .securityGroup or .connections members after passing the NAT Instance Provider to a Vpc.

      Default: NatTrafficDirection.INBOUND_AND_OUTBOUND

    • getKeyName

      @Stability(Deprecated) @Deprecated @Nullable default String getKeyName()
      Deprecated.
      • Use keyPair instead - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2-readme.html#using-an-existing-ec2-key-pair
      (deprecated) Name of SSH keypair to grant access to instance.

      Default: - No SSH access will be possible.

    • getKeyPair

      @Stability(Stable) @Nullable default IKeyPair getKeyPair()
      The SSH keypair to grant access to the instance.

      Default: - No SSH access will be possible.

    • getMachineImage

      @Stability(Stable) @Nullable default IMachineImage getMachineImage()
      The machine image (AMI) to use.

      By default, will do an AMI lookup for the latest NAT instance image.

      If you have a specific AMI ID you want to use, pass a GenericLinuxImage. For example: 

       NatProvider.instance(NatInstanceProps.builder()
         .instanceType(new InstanceType("t3.micro"))
         .machineImage(new GenericLinuxImage(Map.of(
                 "us-east-2", "ami-0f9c61b5a562a16af")))
         .build());

      Default: - Latest NAT instance image

    • getSecurityGroup

      @Stability(Deprecated) @Deprecated @Nullable default ISecurityGroup getSecurityGroup()
      Deprecated.
      - Cannot create a new security group before the VPC is created, and cannot create the VPC without the NAT provider. Set
      invalid reference 
      defaultAllowedTraffic
      to
      invalid reference 
      NatTrafficDirection.NONE
      and use
      invalid reference 
      NatInstanceProviderV2.gatewayInstances
      to retrieve the instances on the fly and add security groups
      (deprecated) Security Group for NAT instances.

      Default: - A new security group will be created

      Example: 

       NatInstanceProviderV2 natGatewayProvider = NatProvider.instanceV2(NatInstanceProps.builder()
         .instanceType(new InstanceType("t3.small"))
         .defaultAllowedTraffic(NatTrafficDirection.NONE)
         .build());
 Vpc vpc = Vpc.Builder.create(this, "Vpc").natGatewayProvider(natGatewayProvider).build();
 SecurityGroup securityGroup = SecurityGroup.Builder.create(this, "SecurityGroup")
         .vpc(vpc)
         .allowAllOutbound(false)
         .build();
 securityGroup.addEgressRule(Peer.anyIpv4(), Port.tcp(443));
 for (Object gatewayInstance : natGatewayProvider.getGatewayInstances()) {
     gatewayInstance.addSecurityGroup(securityGroup);
 }

    • getUserData

      @Stability(Stable) @Nullable default UserData getUserData()
      Custom user data to run on the NAT instances.

      Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances

      See Also:

    • builder

      @Stability(Stable) static NatInstanceProps.Builder builder()
      Returns:
      a NatInstanceProps.Builder of NatInstanceProps