Space Vatican

Ramblings of a curious coder

Creating a Custom CloudFormation NAT Gateway Resource

Update: You can now provision NAT gateways with CloudFormation.

Amazon recently announced their NAT gateway service which allows you to attach an AWS managed NAT gateway to you private subnets instead of managing NAT instances yourself. There is a full rundown of the differences, but for me the big win is eliminating the single point of failure of a single NAT instance without the complexity of a failover setup. It’s also nice not to worry about picking the right size of NAT instance.

We manage our VPC infrastructure with CloudFormation, which doesn’t yet have support for NAT gateways. However CloudFormation has custom lambda resources that can do pretty much anything. Even when CloudFormation does gain support for NAT gateways, hopefully this provides another example of how to create custom resources.

Migrating From EC2-Classic to VPC

We recently migrated our AWS deployment from EC2-Classic to EC2 VPC. The VPC model on its own is a worthy change as it allows the vast majority of our instances not to be reachable from the public internet. In addition, increasing numbers of AWS features are only available on the VPC platform, such as:

  • Enhanced Networking
  • T2, M4, C4 instances
  • Flow logs
  • Changing security groups of running instances
  • Internal load balancers

There are also aspects that are just saner. For example VPC security groups apply to EC2 instances, RDS instances, Elasticache instances etc. whereas in the classic world there are separate database security groups, cache security groups, redshift cluster security groups etc. all doing basically the same thing but spread across umpteen services rather than being defined in one place. Amazon has a long list of fine grained differences. One of the few feature regressions I can find that is the lack of IPv6 load balancers.

Using Cloudfront Signed Cookies

We’ve long had a small static site that we only wanted to be accessible to users signed into our app. Individually signed urls weren’t an option – we’d need to sign all of the links in these html files (and update them when they expired). Since this was a low traffic site in the end we just put a small sinatra app in front of the static content that used a CAS inspired single signon mechanism.

However, a few weeks ago AWS announced exactly what we needed: CloudFront signed cookies allow you to set some cookies that CloudFront will use to guard access to your content.

On Mobile Safari and Iframes

For posterity, in the hope it saves someone a few minutes of that time: Safari on iOS does some really weird shit when it comes to sizing iframes.

Turning on Partial Double Verification

RSpec 3 added the concept of verifying doubles (As an aside the rspec 3 upgrade process was amazing because it treated deprecation as a feature rather than just vomiting untraceable warnings all over the place). Others have written at length about this but in a nutshell it means that things like

class_double(User, :name => 'Bob')
allow(some_user).to receive(:name).and_return('Bob')

will raise an exception if the User class does not have a name method. When you make a call to the name method on the (partial) double it will also check whether the arguments you pass are compatible with the method signature of the original object/class (including validating mandatory keywords).