NASA-IMPACT · ranchodeluxe · Aug 23, 2023 · Aug 15, 2023 · Aug 23, 2023 · Aug 23, 2023
diff --git a/standalone_base_infrastructure/README.md b/standalone_base_infrastructure/README.md
@@ -1,6 +1,6 @@
 # Standalone Base Infrastructure
 
-Optional shared base infrastructure provisioning. This CloudFormation stack is intended to simulate controlled deployment environments. It also useful for deploying a long-standing VPC that can be shared across stacks. This VPC is deployed with an EC2 NAT Instance that is configured as the NAT gateway provider for the private subnets.
+Optional shared base infrastructure provisioning. This CloudFormation stack is intended to simulate controlled deployment environments. It also useful for deploying a long-standing VPC that can be shared across stacks. This VPC is deployed with a NAT Gateway Service for the private subnets b/c environments like SMCE require us to manage patches and scale it ourselves which don't want to do. In MCP we can request to use a NAT Gateway Service or use their existing EC2 NAT Instance
 
 ## Deployment
 
@@ -26,4 +26,3 @@ See main app [deployment instructions](../README.md#deployment).
 | `CDK_DEFAULT_REGION` | The AWS region id is required to deploy to an exiting VPC |
 | `VPC_CIDR` | The CIDR range to use for the VPC. Default is 10.100.0.0/16 |
 | `VPC_MAX_AZS` | Maximum number of availability zones per region. Default is 2. |
-| `VPC_NAT_GATEWAYS` | Number of NAT gateways to create. Default is 1. |
diff --git a/standalone_base_infrastructure/network_construct.py b/standalone_base_infrastructure/network_construct.py
@@ -23,11 +23,9 @@ def __init__(
         )
         private_subnet = aws_ec2.SubnetConfiguration(
             name="private",
-            subnet_type=aws_ec2.SubnetType.PRIVATE_ISOLATED,
-        )
-
-        nat_provider_instance = aws_ec2.NatProvider.instance(
-            instance_type=aws_ec2.InstanceType("t3.nano"),
+            # NOTE: this line automatically creates a NAT Gateway for each AZ
+            # and binds the route table in the private subnet
+            subnet_type=aws_ec2.SubnetType.PRIVATE_WITH_EGRESS,
         )
 
         vpc = aws_ec2.Vpc(
@@ -36,26 +34,9 @@ def __init__(
             max_azs=base_settings.vpc_max_azs,
             cidr=base_settings.vpc_cidr,
             subnet_configuration=[public_subnet, private_subnet],
-            nat_gateway_provider=nat_provider_instance,
             nat_gateways=base_settings.vpc_nat_gateways,
         )
 
-        nat_sg = nat_provider_instance.security_group
-
-        # Allow all outbound traffic
-        nat_sg.add_egress_rule(
-            aws_ec2.Peer.any_ipv4(),
-            aws_ec2.Port.all_traffic(),
-            "Allow all outbound traffic",
-        )
-
-        # Allow inbound traffic from the VPC's CIDR
-        nat_sg.add_ingress_rule(
-            aws_ec2.Peer.ipv4(vpc.vpc_cidr_block),
-            aws_ec2.Port.all_traffic(),
-            "Allow inbound traffic from the VPCs CIDR block",
-        )
-
         vpc_endpoints = {
             "secretsmanager": aws_ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
             "cloudwatch-logs": aws_ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
@@ -69,10 +50,4 @@ def __init__(
             elif isinstance(service, aws_ec2.GatewayVpcEndpointAwsService):
                 vpc.add_gateway_endpoint(id, service=service)
 
-        # This config step associates the NAT instance EIP with the private subnet and should happen in VPC construct but does not
-        for private_subnet in vpc.select_subnets(
-            subnet_type=aws_ec2.SubnetType.PRIVATE_ISOLATED
-        ).subnets:
-            nat_provider_instance.configure_subnet(subnet=private_subnet)
-
         CfnOutput(self, "vpc-id", value=vpc.vpc_id)