You only live once, self host a NAT Gateway

I build my own NAT instances from Debian Trixie with Packer on AWS. AWS built-in NAT Gateways use an absurdly outdated and end-of-life version of Amazon Linux and are ridiculously expensive (especially traffic).

The bash configuration is literally a few lines:

    cat <<'EOF' | sudo tee /etc/sysctl.d/99-ip-forwarding.conf > /dev/null
    net.ipv4.ip_forward=1
    EOF

    sudo sysctl --system

    sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
    sudo iptables -F FORWARD
    sudo iptables -A FORWARD -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A FORWARD -o ens5 -j ACCEPT
    sudo iptables-save | sudo tee /etc/iptables/rules.v4 > /dev/null

Change ens5 with your instance network interface name. Also, VERY IMPORTANT you must set source_dest_check = false on the EC2 NAT instances.

Also, don’t assign a EIP to your EC2 NAT instances (unless you absolutely must persist a given public IP) as that counterintuitively routes through public traffic. Just use a auto-assigned public IP (no EIP).

  NAT instance with EIP
    - AWS routes it through the public AWS network infrastructure (hairpinning).
    - You get charged $0.01/GB regional data transfer, even if in the same AZ.

It's honestly ridiculous that people now see that self hosting is stupidly cheaper and still 99.9% reliable.

No your service does not need the extra .099% availability for 100x the price...

Make your own VPN while you are at it, wireguard is basically the same config.

A lot of this is support. If you’re self hosting, when things don’t work the way they should, the team has no one to blame. On AWS, they can always lean on aws not working the way it should as an excuse.

Please can we do away with NAT forever. Why are we still encouraging this? It’s caused the world to do horrible kludges and continues to do so.

Presumably the idea is that if you go ipv6-only you can avoid this cost and just use a firewall?

Assigning an IP is ideal if you're having to whitelist traffic to/from a data center, application, or service.

This shouldn't be mistaken for an anti-IPv6 post. There's also some steps you have to go through to enable IPv6 on your VPS networks, and there's still stuff like GitHub not handling IPv6. So, much as we need to migrate, we still have to support IPv4 connectivity for the foreseeable future.

Shoutout to Hacker News for having IPv6 support!

1.) IPv4 is still heavily favored over IPv6.

2.) Market segmentation: keeps home users from easily hosting their own services without spending $$$ on an upgraded plan.

3.) Adding on to #2, I've seen claims of providers putting IPv6 behind NAT, so don't think full IPv6 acceptance will solve this problem.

Sure that one’s case, though you might be able to give out a host instead of IP to others to whitelist. Then you just set a low TTL and update the DNS record.

OpenWrt is also a good option.

> I've seen claims of providers putting IPv6 behind NAT, so don't think full IPv6 acceptance will solve this problem.

I get annoyed even when what's offered is a single /64 prefix (rather than something like a /56 or even /60), but putting IPv6 behind NAT is just ridiculous.

I don't know what is the point of this kind of article. People care the cost and can do it already do it.

It is a damn service, which is defined as "you pay someone to do it".

For company hosting cloud solutions gets you the various compliance stuff for free which can be worth it if you're not too large, and of course faster turnaround if you need to get a product out.

For personal a cheap vps will end up costing around the same as something you can do on your own, without the risk of messing up your machine/network from a vulnerable endpont

I can't believe people are paying these crazy amounts for what is basically a fleet of firewalls. What is the difficulty in running VMs with nftables rules?