aws · mergify · Apr 11, 2024 · Apr 9, 2024 · Apr 9, 2024 · Apr 11, 2024
diff --git a/...69bcb2be4a49f9baf5cfc2f9c.bundle/index.js → ...bb52a347bc93fc308857eadec.bundle/index.js b/...69bcb2be4a49f9baf5cfc2f9c.bundle/index.js → ...bb52a347bc93fc308857eadec.bundle/index.js
diff --git a/.../integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.assets.json b/.../integ.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.assets.json
diff --git a/...nteg.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.template.json b/...nteg.nat-instances-v2-custom.js.snapshot/aws-cdk-vpc-nat-instance-v2-custom.template.json
@@ -350,6 +350,12 @@
        "MyVpcNatSecurityGroupAA76397E",
        "GroupId"
       ]
+     },
+     {
+      "Fn::GetAtt": [
+       "SecurityGroupDD263621",
+       "GroupId"
+      ]
      }
     ],
     "SourceDestCheck": false,
@@ -566,6 +572,12 @@
        "MyVpcNatSecurityGroupAA76397E",
        "GroupId"
       ]
+     },
+     {
+      "Fn::GetAtt": [
+       "SecurityGroupDD263621",
+       "GroupId"
+      ]
      }
     ],
     "SourceDestCheck": false,
@@ -763,9 +775,11 @@
     "GroupDescription": "Security Group for NAT instances",
     "SecurityGroupEgress": [
      {
-      "CidrIp": "0.0.0.0/0",
-      "Description": "Allow all outbound traffic by default",
-      "IpProtocol": "-1"
+      "CidrIp": "255.255.255.255/32",
+      "Description": "Disallow all traffic",
+      "FromPort": 252,
+      "IpProtocol": "icmp",
+      "ToPort": 86
      }
     ],
     "Tags": [
@@ -779,6 +793,24 @@
     }
    }
   },
+  "SecurityGroupDD263621": {
+   "Type": "AWS::EC2::SecurityGroup",
+   "Properties": {
+    "GroupDescription": "aws-cdk-vpc-nat-instance-v2-custom/SecurityGroup",
+    "SecurityGroupEgress": [
+     {
+      "CidrIp": "0.0.0.0/0",
+      "Description": "Allow egress to S3",
+      "FromPort": 443,
+      "IpProtocol": "tcp",
+      "ToPort": 443
+     }
+    ],
+    "VpcId": {
+     "Ref": "MyVpcF9F0CA6F"
+    }
+   }
+  },
   "ALBAEE750D2": {
    "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
    "Properties": {

diff --git a/...framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/manifest.json b/...framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/manifest.json
diff --git a/...ustom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.assets.json b/...ustom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.assets.json
diff --git a/...tom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.template.json b/...tom.js.snapshot/natinstancev2customintegtestDefaultTestDeployAssertEFDD468A.template.json
diff --git a/...ing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/tree.json b/...ing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.js.snapshot/tree.json
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.ts
@@ -32,18 +32,21 @@ class NatInstanceStack extends cdk.Stack {
     const natGatewayProvider = ec2.NatProvider.instanceV2({
       instanceType: new ec2.InstanceType('t3.small'),
       creditSpecification: ec2.CpuCredits.UNLIMITED,
-      defaultAllowedTraffic: ec2.NatTrafficDirection.OUTBOUND_ONLY,
+      defaultAllowedTraffic: ec2.NatTrafficDirection.NONE,
       keyPair,
       userData,
     });
 
-    const vpc = new ec2.Vpc(this, 'MyVpc', {
-      natGatewayProvider,
-      natGateways: 2,
-    });
+    const vpc = new ec2.Vpc(this, 'MyVpc', { natGatewayProvider });
 
+    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
+      vpc,
+      allowAllOutbound: false,
+    });
+    securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443), 'Allow egress to S3');
     for (const gateway of natGatewayProvider.gatewayInstances) {
       bucket.grantWrite(gateway);
+      gateway.addSecurityGroup(securityGroup);
     }
 
     Array.isArray(vpc);
@@ -70,7 +73,6 @@ const stack = new NatInstanceStack(app, 'aws-cdk-vpc-nat-instance-v2-custom');
 
 const integ = new IntegTest(app, 'nat-instance-v2-custom-integ-test', {
   testCases: [stack],
-
 });
 
 integ.assertions.httpApiCall(stack.apiUrl, {})

diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md
@@ -218,7 +218,8 @@ new ec2.Vpc(this, 'TheVPC', {
 provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80));
 ```
 
-You can also customize the characteristics of your NAT instances, as well as their initialization scripts:
+You can also customize the characteristics of your NAT instances, including their security group,
+as well as their initialization scripts:
 
 ```ts
 declare const bucket: s3.Bucket;
@@ -233,15 +234,19 @@ userData.addCommands(
 const provider = ec2.NatProvider.instanceV2({
   instanceType: new ec2.InstanceType('t3.small'),
   creditSpecification: ec2.CpuCredits.UNLIMITED,
+  defaultAllowedTraffic: ec2.NatTrafficDirection.NONE,
 });
 
-new ec2.Vpc(this, 'TheVPC', {
+const vpc = new ec2.Vpc(this, 'TheVPC', {
   natGatewayProvider: provider,
   natGateways: 2,
 });
 
+const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc });
+    securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443));
 for (const gateway of provider.gatewayInstances) {
   bucket.grantWrite(gateway);
+  gateway.addSecurityGroup(securityGroup);
 }
 ```