Skip to main content


Video for End Users

If you are an application developer, a service owner or an end-user of DiscrimiNAT tasked with getting new domain names working, this <5m video is for you and covers the most common issue along with solutions.

Elastic IPs not attached to DiscrimiNAT VMs

If a Public IP is not found attached to a DiscrimiNAT instance, it will look for any allocated but unassociated Elastic IPs that have a tag-key named discriminat (set to any value.) One of such Elastic IPs will be attempted to be associated with itself then.

An EC2 VPC Endpoint is needed in DiscrimiNAT's subnets for this mechanism to work though – since making the association needs access to the EC2 API. See the Terraform or CloudFormation examples.

The IAM permissions needed to do this are already a part of our Terraform modules and CloudFormation templates.

Logs not appearing in CloudWatch

It could be one of these three potential issues:

  1. DiscrimiNAT VMs do not have an Elastic IP associated.

  2. There is a logs VPC endpoint in the VPC but not in the subnets where DiscrimiNAT is deployed.

  3. From v2.5.0 onwards of DiscrimiNAT, the CloudWatch log group name changed from discrimiNAT to DiscrimiNAT. While we're working on getting the permissions updated on the AWS Marketplace deployment templates, please ensure the IAM Policy for DiscrimiNAT has the right capitalisation for DiscrimiNAT log group.

Clients' network traffic sometimes allowed, sometimes not.


Please upgrade the instance size from t3.small to c6a.large or c6i.large. This is done via the instance_size Terraform variable.

The t3.small instance size only suffices for light loads and a few clients. The c6 series offers the best CPU to egress bandwidth and price ratios for the kind of work involved.

Use of other instance size classes, such as m and r, is not recommended because the DiscrimiNAT is not a memory-intensive application, therefore making machines with more memory than needed not a cost-optimal choice.

see-thru mode not working

If the discriminat-config logs do not show a log line picking up a see-thru rule, you may have a problem with the annotation's syntax.


The see-thru mode requires a Security Group Outbound Rule to:

• allow all ports

• allow all protocols

• allow the IP range (no longer requirements from version 2.6.0 onwards)

  • have a valid, calendar date specified in the description field. For example, discriminat:see-thru:2022-02-29 is NOT a valid date but discriminat:see-thru:2022-02-28 is.