AWS NAT Instances using ARM A1 Instance Type

If you host AWS EC2 instances in a private subnet, you will often need to configure a NAT Instance or NAT Gateway so your EC2 instances can communicate with other Amazon Web Services (e.g. RDS, SQS, SNS, SES) and/or so your EC2 instances download OS and software updates.

Pricing Comparison

NAT Gateway $0.045/hour + $0.045/GB
Built in Redundancy (single AZ), Network Performance Up to 45 Gbps

NAT Instance (m5.large) $0.096/hour
No Redundancy, Network Performance Up to 10 Gbps

NAT Instance (a1.medium) $0.0255/hour
No Redundancy, Network Performance Up to 10 Gbps

NAT Instance (t3.nano) $0.0052/hour
No Redundancy, Network Performance Up to 5 Gbps

NAT Instance (t2.nano) $0.0058/hour
No Redundancy, Network Performance “Low”

NAT Gateway vs NAT Instance

The NAT Gateway is the best option for most production workloads since it is managed by AWS and has built-in fault tolerance (in a single AZ), but can become expensive for high traffic applications. Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. You must deploy (and pay for) multiple NAT Gateways in a region for Multi-AZ redundancy.

The NAT Instance is often a good option for low traffic dev/test environments since small EC2 instances running NAT Instance can cost 10x less than the NAT Gateway managed service.

If you prefer managing your own NAT Instance(s) and need moderate network performance, you could use T3 instances (up to 5 Gbps) or M5 instances (up to 10 Gbps). With the introduction of ARM-based instances, you can also leverage low-cost A1 instances (up to 10 Gbps).

ARM-Based NAT Instance

AWS has not yet published an ARM-based community AMI designed for use as a NAT Instance, but you can launch an existing ARM-based AMI and configure it for use as a NAT Instance. You need to enable packet forwarding at a minimum, and should lookup a guide to harden the OS if you are using the NAT Instance in production.

Follow existing AWS instructions (or this step-by-step guide) to configure your subnets and your NAT Instance. When you follow the guide(s), use the latest Debian arm64 image (currently “debian-stretch-hvm-arm64-gp2-2019-02-19-26259”) AMI for ARM processors instead of using the AWS NAT Instance AMI (or the Ubuntu AMI). Then login to your new Debian-based ARM Instance and run the following commands to enable IP forwarding and setup NAT rules.

echo '#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j MASQUERADE
' | sudo tee /etc/network/if-pre-up.d/nat-setup
sudo chmod +x /etc/network/if-pre-up.d/nat-setup
sudo /etc/network/if-pre-up.d/nat-setup

The instances on my private subnet were not able to immediately communicate with the internet. I rebooted my new Debian-based NAT Instance and restarted the test instances on my private subnet, then traffic began passing through the NAT Instance just fine.

Using Mobile Internet/Data while Connected to a WiFi Network (iOS/Android)

Are you trying to connect your mobile phone or other device with 4G/5G mobile data access to a WiFi network or WiFi-enabled device that does not have Internet access? Would you like to force the device to use your Mobile Internet connection even if your WiFi network has Internet access?

Situations might include connecting directly to a camera that broadcasts a WiFi network or controlling your smart home devices after cancelling your home internet service.

Great news! This CAN be done. See below for instructions for iOS devices (iPhone or iPad) and Android devices (Samsung Galaxy, Google Pixel, etc)

iOS devices

NOTE: iOS 12 / iOS 13 / iOS 14 may automatically detect that your WiFi network does NOT have Internet and allow you to access other devices on the WiFi network while automatically using your mobile Internet. If not, you can follow these steps to FORCE iOS to use mobile Internet while connected to a WiFi network.

iOS 12 / iOS 13 / iOS 14 Instructions (use mobile data for specific WiFi network)

  1. Go to “Settings” then “WiFi”
  2. Connect to your WiFi network
  3. Click the Info (i) icon next to your current WiFi network to view network info
  4. Make note of your IP Address and Subnet Mask
  5. Change “Configure IP” from “Automatic” to “Manual” and enter the IP Address and Subnet Mask. DO NOT CONFIGURE ROUTER. The “Router” setting should be BLANK/EMPTY!
  6. Save your changes. iOS will show “No Internet Connection” next to your WiFi device. iOS should no longer attempt to connect to Internet through this WiFi network.

The change above will only affect the WiFi network you are currently connected to. If you connect to another WiFi network, your iOS device will try to use that network’s Internet connection unless you repeat these steps.

Android devices

You may be able to manually configure your WiFi network connection similar to the iOS method above. If not, you can force your phone to always use your mobile data connection.

Android 9 instructions (use mobile data for specific WiFi network)

  1. Go to Settings > Connections > WiFi
  2. Tap and hold your WiFi network name until a menu appears
  3. Click “Manage Network Settings”
  4. Make note of your IP Address and Subnet Mask
  5. Change “IP Settings” from “DHCP” to “Static”
  6. Remove the IP address from “Gateway” so that “Gateway” is blank.
  7. DO NOT CHANGE any other settings. Be sure to leave “IP Address” or “Network Prefix Length” alone. The “Router” setting should be BLANK/EMPTY!
  8. Save your changes. Android should no longer attempt to connect to Internet through this WiFi network.

Recent versions of Android OS also allow users to force the OS to always use Mobile Data. This is not as ideal as the iOS settings above, so only use as a last resort. You must toggle this setting whenever you DO want to use a WiFi Internet Connection.

Android 9 instructions (always use mobile data)

Enable Developer Mode

  1. Go to Settings > System > About Phone
  2. Tap “Build Number” until Developer Mode is enabled

Toggle Mobile Data Setting

  1. Go to Settings > System > Developer Options
  2. Toggle “Mobile Data Always Active”

Android 8 Instructions (always use mobile data)

Enable Developer Mode

  1. Go to Settings > About Phone > Software Information
  2. Tap “Build Number” (~7 times) until “Developer Mode has been turned on” is displayed

Toggle Mobile Data Setting

  1. Go to Settings > Developer Options > Network
  2. Toggle “Keep Mobile data turned on”

WARNING: Enabling this option will force your device to ALWAYS use mobile data. Your device will NEVER try to access the Internet through your WiFi connection, even if you switch to a WiFi network that DOES have Internet access.

If you suspect Developer Options are causing any problems, you can go back to Developer Options (Settings > Developer Options) and change the very first toggle from “On” to “Off”.

Have you found a better way to configure iOS or Android to connect to a WiFi network while using mobile data? If so, please share details in the comments below!

Squid3 error: “swap.state.new: (122) Disk quota exceeded” RESOLVED

We maintain a small outbound Squid proxy/cache server for our VPN users.  The Squid3 service on Debian 7 (Wheezy) died.  When we restarted the service, it would immediately termiate with these errors:

swap.state.new: (122) Disk quota exceeded
FATAL: storeDirOpenTmpSwapLog: Failed to open swap log.
Squid Cache (Version 3.1.20): Terminated abnormally.

The Squid service runs in a small Linux Vserver VPS with various CPU, memory, and disk restrictions.  I found that the VPS had reached its inode limit and could not create any new files.  Increasing the inode limit and restarting the VPS guest immediately resolved the problem.

Full error log output:

sudo tail /var/log/squid3/cache.log

2014/11/10 22:52:37| Starting Squid Cache version 3.1.20 for x86_64-pc-linux-gnu...
2014/11/10 22:52:37| Process ID 25908
2014/11/10 22:52:37| With 1024 file descriptors available
2014/11/10 22:52:37| Initializing IP Cache...
2014/11/10 22:52:37| DNS Socket created at [::], FD 7
2014/11/10 22:52:37| DNS Socket created at 0.0.0.0, FD 8
2014/11/10 22:52:37| Adding domain dnihost.net from /etc/resolv.conf
2014/11/10 22:52:37| Adding nameserver X.X.X.X from /etc/resolv.conf
2014/11/10 22:52:37| Adding nameserver Y.Y.Y.Y from /etc/resolv.conf
2014/11/10 22:52:37| helperOpenServers: Starting 5/5 'digest_pw_auth' processes
2014/11/10 22:52:37| Unlinkd pipe opened on FD 23
2014/11/10 22:52:37| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2014/11/10 22:52:37| Store logging disabled
2014/11/10 22:52:37| Swap maxSize 6291456 + 16384 KB, estimated 485218 objects
2014/11/10 22:52:37| Target number of buckets: 24260
2014/11/10 22:52:37| Using 32768 Store buckets
2014/11/10 22:52:37| Max Mem size: 16384 KB
2014/11/10 22:52:37| Max Swap size: 6291456 KB
2014/11/10 22:52:37| /cache/squid/swap.state.new: (122) Disk quota exceeded
FATAL: storeDirOpenTmpSwapLog: Failed to open swap log.
Squid Cache (Version 3.1.20): Terminated abnormally.
CPU Usage: 0.010 seconds = 0.005 user + 0.005 sys
Maximum Resident Size: 28096 KB
Page faults with physical i/o: 0

How to increase Linux Vserver VPS guest inode limit:

# View existing setting (500k files)
cat /etc/vservers/GUEST-NAME/dlimits/root/inodes_total
500000
# Edit setting
sudo vi /etc/vservers/GUEST-NAME/dlimits/root/inodes_total
# View new setting (1M files)
cat /etc/vservers/GUEST-NAME/dlimits/root/inodes_total
1000000
# Restart VPS guest
sudo vserver GUEST-NAME restart