View on GitHub

LENA Migration Tool

Download this project as a .zip file Download this project as a tar.gz file

(LENA) Lambda Executed NAt Migration Tool

Automated legacy NAT to NAT gateway migration tool

IANAD - Fair warning. This is a project for fun and educational purposes. Please review before using as there are no warranties.


LENA migration tool is a simple cloudformation template that creates a custom resource lambda function that will take your inputs and use them to create a new NAT gateway (in the same subnet as your NAT instance) and update all your route tables that have the NAT instance id to the new NAT gateway id. Additionally, if you choose, it can migrate the current NAT instance EIP to the new NAT gateway.

How To Use

Simply clone this repo to acquire both the lambda and CFT. Then deploy the CFT in a region where you want to migrate the NAT instance to a NAT gateway. You'll need to make a note of your NAT instance id before you start and decide whether you want to migrate the EIP off of the NAT or not.

You can see what the CFT looks like here:

Note: If you choose "False" for "Generate new EIP?" the lambda function will disassociate your NAT EIP before building your NAT Gateway. This may need to be considered if you want to migrate with zero downtime.

What it creates

The CFT will create a python based lambda with a lambda assumer role and the following policies attached:

    "Policies": [
            "PolicyName": "root",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                        "Effect": "Allow",
                        "Action": [
                        "Resource": "arn:aws:logs:*:*:*"
                        "Sid": "LenaMigrationPolicy",
                        "Effect": "Allow",
                        "Action": [
                        "Resource": [

Take a look inside the lambda folder for more details on the python there.

Once Complete

Once the tool has completed the CFT will be marked as complete and if you look in the Outputs section you should see a Migration Status of Success. You can also look at the output of the lambda function in CloudWatch logs. Once it is completely finished, you can decide to terminate your NAT instance and also delete the Cloudformation Stack to eliminate the lambda.


In addition to myself, I worked with @ianwilloughby on various permutations of the python pieces of the tool. If you'd like to run a CLI version of the script, you can take a look at his implementation at