add test

packages/@aws-cdk/aws-ec2/lib/nat.ts

@@ -213,7 +213,7 @@ export class NatInstanceProvider extends NatProvider implements IConnectable {
     this._securityGroup = this.props.securityGroup ?? new SecurityGroup(options.vpc, 'NatSecurityGroup', {
       vpc: options.vpc,
       description: 'Security Group for NAT instances',
-      allowAllOutbound: this.props.allowAllTraffic
+      allowAllOutbound: this.props.allowAllTraffic ?? true,
     });
     this._connections = new Connections({ securityGroups: [this._securityGroup] });
 

packages/@aws-cdk/aws-ec2/test/vpc.test.ts

@@ -904,6 +904,22 @@ nodeunitShim({
         DestinationCidrBlock: '0.0.0.0/0',
         InstanceId: { Ref: 'TheVPCPublicSubnet1NatInstanceCC514192' },
       }));
+      cdkExpect(stack).to(haveResource('AWS::EC2::SecurityGroup', {
+        SecurityGroupEgress: [
+          {
+            CidrIp: '0.0.0.0/0',
+            Description: 'Allow all outbound traffic by default',
+            IpProtocol: '-1',
+          },
+        ],
+        SecurityGroupIngress: [
+          {
+            CidrIp: '0.0.0.0/0',
+            Description: 'from 0.0.0.0/0:ALL TRAFFIC',
+            IpProtocol: '-1',
+          },
+        ],
+      }));
 
       test.done();
     },
@@ -948,6 +964,15 @@ nodeunitShim({
 
       // THEN
       cdkExpect(stack).to(haveResource('AWS::EC2::SecurityGroup', {
+        SecurityGroupEgress: [
+          {
+            CidrIp: '255.255.255.255/32',
+            Description: 'Disallow all traffic',
+            FromPort: 252,
+            IpProtocol: 'icmp',
+            ToPort: 86,
+          },
+        ],
         SecurityGroupIngress: [
           {
             CidrIp: '1.2.3.4/32',