@@ -122,3 +122,44 @@ originate. Using these internal addresses is much more likely to result in a
122122successful direct connection.
123123
124124![ Diagram of a workspace agent and client over VPN] ( ../images/networking/stun3.png )
125+
126+ ##Hard NAT
127+
128+ Some NATs are known to use a different port when forwarding requests to the STUN server and when
129+ forwarding probe packets to peers. In that case, the address a peer discovers over the STUN protocol
130+ will have the correct IP address, but the wrong port. Tailscale refers to this as "hard" NAT in
131+ [ How NAT traversal works (tailscale.com)] ( https://tailscale.com/blog/how-nat-traversal-works ) .
132+
133+ It can block direct connections if the other peer is also behind a "hard" NAT or is running a
134+ firewall (including Windows Defender Firewall). Peers fallback to DERP connections if they cannot
135+ establish a direct connection.
136+
137+ If your workspaces are behind a "hard" NAT, you can:
138+
139+ 1 . Ensure clients are not also behind a "hard" NAT. (You may have limited ability to control this
140+ if end users connect from their homes.
141+ 2 . Ensure firewalls on client devices (e.g. Windows Defender Firewall) have an inbound policy
142+ allowing all UDP ports either to the` coder ` or` coder.exe ` CLI binary, or from the IP
143+ address(es) of your workspace NAT(s).
144+ 3 . Reconfigure your workspace network's NAT connection to the public internet to be an "easy" NAT.
145+ See below for specific examples.
146+
147+ ###AWS NAT Gateway
148+
149+ The[ AWS NAT Gateway] ( https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html ) is a
150+ known "hard" NAT. You can use a
151+ [ NAT Instance] ( https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html ) instead of a
152+ NAT Gateway, and configure it to use the same port assignment for all UDP traffic from a particular
153+ source IP: port combination (Tailscale calls this "easy" NAT). Linux` MASQUERADE ` rules work well for
154+ this.
155+
156+ ###AWS Elastic Kubernetes Service (EKS)
157+
158+ The default configuration of AWS Elastic Kubernetes Service (EKS) includes the[ Amazon
159+ VPC CNI Driver] ( https://github.com/aws/amazon-vpc-cni-k8s ) , which by default randomizes the public
160+ port for different outgoing UDP connections, making it also act as a "hard" NAT, even if the EKS
161+ nodes are on a public subnet (and thus do not need to use the AWS NAT Gateway to reach the
162+ Internet). This behavior can be disabled by setting the environment variable
163+ ` AWS_VPC_K8S_CNI_RANDOMIZESNAT=none ` in the` aws-node ` DaemonSet. Note, however, if your nodes are
164+ on a private subnet, they will still need NAT to reach the public Internet, meaning that issues with
165+ the[ AWS NAT Gateway] ( #aws-nat-gateway ) might affect you.