Starting with this release the focus on cfn-core will be on networking only resources. The bastion is now removed, so if you apply this to an existing stack be aware that this release introduces a breaking change.

Breaking Changes

• Bastion instance removed, be aware when applying as an update to an existing stack.

This release includes the following:

NAT Gateway

• No more managing of EC2 NATs!

S3 VPC Endpoints

• This should have been included before but I think it just got missed, anyway, it's there now.

Environment specific Deployments

• This feature should increase resiliency and availability while keeping costs reasonable. Before, we only had 1 NAT instance for the entire VPC. That NAT resided in a single AZ so if that AZ goes offline there was loss of external connectivity from instances in the internal subnets. This may be OK for non-production environments but definitely a big issue for Production so with this latest release CFN will provision a NAT Gateway in each AZ only when you select "prd" or "prod" as the environment, otherwise only 1 NAT Gateway is provisioned.

This is a fairly significant release in that it introduces a number of notable changes to the NAT feature:

1. Cloudwatch Logs for bootstrapping logs. This is mostly for troubleshooting boot time issues. Now all the NAT's cfn and cloud-init logs (cfn-hup.log, cfn-init.log, cfn-wire.log, cloud-init-output.log, cloud-init.log) show up in the Cloudwatch Logs console.

NOTE: This currently is only supported in Virginia, Oregon and Ireland. If you're using another region, stick to release 1.0.0.

2. No more keypairs. The NAT instance no longer has a keypair associated with it. The idea here is to treat it as an ephemeral appliance and to keep things simple. If it's giving trouble or fails, replace it.

3. Custom AMI support. If you want to add any tools to your NAT instance, for example maybe a Splunk forwarder, or specific security hardening customizations or simply a cron job that applies security updates on a schedule, you can create an AMI and pass that AMI ID to the cfn template. Leaving the NATAMI parameter with "default" will provision the same NAT AMI that AWS uses when creating a NAT enabled VPC.

4. HVM Support. The default NAT instance is now an HVM instance types and defaults to a t2.micro which is ~30% cheaper than a t1.micro with more compute resources.

This release is backwards compatible and can be applied over release 1.0.0. It will only replace the NAT instance, nothing else.

Enjoy and please provide any feedback.
alan

This is the initial release of the CFN templates.