How to change an EC2 VPC NAT instance type

The default NAT instance that AWS creates when using the public/private VPC wizard is a slow and costly m1.small instance. This post shows how to change it.

Recently I've been preparing the SNAPCAM AWS environment for launch. One of the tasks on my todo list was to change the default VPC NAT instance for a better instance type.

When creating a simple public/private VPC using the VPC Wizard, AWS will create a NAT instance which instances in private subnets use to communicate with the public Internet. This default instance will be an m1.small instance which, as demonstrated in this article, is poor both in it's networking capability as well as it's bandwidth (MBps) cost.

A t2.small install provides adequate bandwidth for its price relative to our current needs. After a bit of trial and error, here's the final steps I performed for setting up this new NAT instance:

  1. First I created a new t2.small instance using ami-14913f63; this AMI is built by Amazon specifically for NAT boxes and is new enough to support the t2 instance types. I didn't associate an IAM role, SSH key pair or public IP address.
  2. When the instance had launched I disabled destination source checking on the instance.
  3. NAT traffic is routed through the network interface of the instance so I noted the new instance's eth0 identifier, for me this is eni-162a6660
  4. In the VPC control panel, I went to Route Tables on the left-hand menu, then selected the private route table.
  5. Under Routes, I altered the destination to target to the network interface identifier.
  6. The old NAT instance has an elastic IP address which I reassigned to my new NAT instance.
  7. Finally I rebooted all of the instances in the VPC's private subnets.

Image credit: