Elastic IPs not attached to DiscrimiNAT VMs
If a Public IP is not found attached to a DiscrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named
discriminat (set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.
The IAM permissions needed to do this are already a part of our Terraform modules and CloudFormation templates.
Logs not appearing in CloudWatch
It could be one of these three potential issues:
DiscrimiNAT VMs do not have an Elastic IP associated.
There is a logs VPC endpoint in the VPC but not in the subnets where DiscrimiNAT is deployed.
From v2.5.0 onwards of DiscrimiNAT, the CloudWatch log group name changed from
While we're working on getting the permissions updated on the AWS Marketplace deployment templates,please ensure the IAM Policy for DiscrimiNAT has the right capitalisation for
Clients' network traffic sometimes allowed, sometimes not.
Please upgrade the instance size from
c6i.large. This is done via the
instance_size Terraform variable.
t3.small instance size only suffices for light loads and a few clients. The
c6 series offers the best CPU to egress bandwidth and price ratios for the kind of work involved.
Use of other instance size classes, such as
r, is not recommended because the DiscrimiNAT is not a memory-intensive application, therefore making machines with more memory than needed not a cost-optimal choice.
see-thru mode not working
discriminat-config logs do not show a log line picking up a see-thru rule, you may have a problem with the annotation's syntax.
The see-thru mode requires a Security Group Outbound Rule to:
• allow all ports • allow all protocols • allow the 0.0.0.0/0 IP range (no longer requirements from version 2.6.0 onwards)
- have a valid, calendar date specified in the description field. For example,
discriminat:see-thru:2022-02-29is NOT a valid date but