Skip to content

VPC NAT Instance Elastic IP issues - tunnel and static get related #6309

New issue
New issue
Open
Open
VPC NAT Instance Elastic IP issues - tunnel and static get related#6309
@danielsharvey

Description

@danielsharvey
danielsharvey
opened on Jan 7, 2026

Further to #5820 and this #5820 (comment) specifically:

1. Tunnel Logic

  1. The tunnel IP code considers Managed NAT and EC2 NAT instance distinction combined with the standalone bastion case (when there is no NAT).
  2. It does not handle the case where NAT Eip's are specified (https://sst.dev/docs/component/aws/vpc/#nat-ip) - these should be looked up using Eip.get().

sst/platform/src/components/aws/vpc.ts

Lines 681 to 705 in 3407c32

function registerOutputs() {
self.registerOutputs({
_tunnel: all([
self.bastionInstance,
self.elasticIps,
self.privateKeyValue,
self._privateSubnets,
self._publicSubnets,
]).apply(
([bastion, elasticIps, privateKeyValue, privateSubnets, publicSubnets]) => {
if (!bastion) return;
return {
ip: natInstances.apply((instances) =>
instances.length ? elasticIps[0]?.publicIp : bastion.publicIp,
),
username: "ec2-user",
privateKey: privateKeyValue!,
subnets: [...privateSubnets, ...publicSubnets].map(
(s) => s.cidrBlock,
),
};
},
),
});
}

2. Elastic IPs created in Managed NAT case (and not used)

The createElasticIps() method does not consider the Managed NAT case, where the Elastic IPs do not need to be created.

sst/platform/src/components/aws/vpc.ts

Lines 871 to 890 in 3407c32

function createElasticIps() {
return all([nat, publicSubnets]).apply(([nat, subnets]) => {
if (!nat) return [];
if (nat?.ip) return [];
return subnets.map(
(_, i) =>
new ec2.Eip(
...transform(
args.transform?.elasticIp,
`${name}ElasticIp${i + 1}`,
{
vpc: true,
},
{ parent: self },
),
),
);
});
}

3. static get

The VPC static get methods looks up the Eip's by name, but does not consider NAT instances which has had specified NAT Eip's (https://sst.dev/docs/component/aws/vpc/#nat-ip).

This means that the tunnel logic for the static get case:

  1. Does not account for the case where NAT Eip's are specified as the nat.ip value is not present when static get is used.
  2. I'd suggest this needs to be handled by looking up the EipAssociation's (https://www.pulumi.com/registry/packages/aws/api-docs/ec2/eipassociation/#look-up)

4. static get issue

The natinstances reference should be self.natInstances and included in the all(). This will affect the static get case.

sst/platform/src/components/aws/vpc.ts

Line 693 in 3407c32

ip: natInstances.apply((instances) =>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions