The following YML file is the result of struggles getting Datomic working in AWS. For a full discussion of the issues, see
Rough Edges on the Cloud Technological Forefront I hope it helps someone struggling to connect their Datomic Cloud to both Datomic and the Internet via a NAT in AWS.

AWSTemplateFormatVersion: '2010-09-09'
# Setup networking resources to enable use of NAT to talk to the internet.
## IMPORTANT #1! The Bastion server by/for Datomic Cloud is not guaranteed to be in particular subnet
# The bastion server needs to have route to IGW because the bastion server has an elastic IP
# NAT needs to be in the subnet the bastion server is in because that subnet will have the route to the IGW
# The two subnets without the bastion server need route to point to the NAT (instead of the original IGW route)

## IMPORTANT #2 - New Datomic (397) has VPC Endpoints for dynamo and S3. My added route table
# does not have these VPC Endpoints and there aren't any parameters or info on how to recreate them
Parameters
:
DatomicStack
:
Type
: String
Description
: Name of the Datomic Stack
Default
: "Datomic"
SubnetWithBastion
:
Type
: String
Default
: "Subnet0"
FirstSubnetWithoutBastion
:
Type
: String
Default
: "Subnet1"
SecondSubnetWithoutBastion
:
Type
: String
Default
: "Subnet2"
DatomicVPCIGW
:
Type
: String
Description
: Datomic cloud's IGW name. bastion server's new subnet needs to point here.
Version
:
Type
: String
Description
: Git tagged version

Resources
:
# The datomic-cloud deploy creates 3 subnets with a route pointing all 3 to the IGW
# Put the NAT in the subnet with the bastion. Add a new route table to bastion subnet to point to IGW.
# Point the route for the other two subnets FROM the IGW to the NAT.
NatGatewayAttachment
:
Type
: AWS::EC2::EIP
Description
: Elastic IP for the NAT
Properties
:
Domain
: vpc
NatGateway
:
Type
: AWS::EC2::NatGateway
Properties
:
AllocationId
:
Fn::GetAtt
: ["NatGatewayAttachment", "AllocationId"]
SubnetId
:
Fn::ImportValue
:
Fn::Join
: ['-', [Ref: 'DatomicStack', Ref: 'SubnetWithBastion']]
#Is there any way to change or delete the original route from original route table???
#This commented section below fails saying that 0.0.0.0/0 already has a route
#It doesn't look like we can and we must manually
#PointOriginalToNatRoute:
# Type: AWS::EC2::Route
# Properties:
# RouteTableId:
# Ref: OriginalRouteTable
# DestinationCidrBlock: '0.0.0.0/0'
# NatGatewayId:
# Ref: NatGateway
NewRouteTableToPointToIGW
:
Type
: AWS::EC2::RouteTable
Properties
:
VpcId
:
Fn::ImportValue
:
Fn::Join
: ['-', [Ref: 'DatomicStack', 'VpcId']]
NewRouteToIGWForNewRouteTable
:
Type
: AWS::EC2::Route
Properties
:
RouteTableId
:
Ref
: NewRouteTableToPointToIGW
DestinationCidrBlock
: '0.0.0.0/0'
GatewayId
:
Ref
: DatomicVPCIGW
BastionRouteTableAssociation
:
Type
: AWS::EC2::SubnetRouteTableAssociation
Properties
:
SubnetId
:
Fn::ImportValue
:
Fn::Join
: ['-', [Ref: 'DatomicStack', Ref: 'SubnetWithBastion']]
RouteTableId
:
Ref
: NewRouteTableToPointToIGW

# Convenience section to open up port 22 for bastion server
DatomicSGIngress
:
Type
: AWS::EC2::SecurityGroupIngress
Properties
:
IpProtocol
: tcp
FromPort
: '22'
ToPort
: '22'
CidrIp
: 0.0.0.0/0
GroupId
:
Fn::ImportValue
:
Fn::Join
: ['-', [Ref: 'DatomicStack', 'BastionSecurityGroup']]

Outputs
:
FirstDatomicSubnetWithoutBastion
:
Value
:
Fn::ImportValue
:
Fn::Join
: ['-', [Ref: 'DatomicStack', Ref: 'FirstSubnetWithoutBastion']]
Description
: Cloudformation export for Lambda's specific vpc subnet designation
Export
:
Name
: "FirstDatomicSubnetWithoutBastion"
SecondDatomicSubnetWithoutBastion
:
Value
:
Fn::ImportValue
:
Fn::Join
: ['-', [Ref: 'DatomicStack', Ref: 'SecondSubnetWithoutBastion']]
Description
: Cloudformation export for Lambda's specific vpc subnet designation
Export
:
Name
: "SecondDatomicSubnetWithoutBastion"
DatomicSubnetWithBastionName
:
Value
:
Fn::Join
: ['-', [Ref: 'DatomicStack', Ref: 'SubnetWithBastion']]
Description
: Cloudformation output identifying subnet with bastion
Export
:
Name
: "DatomicSubnetWithBastionName"