Currently in our setup, we have a private and public subnet in VPC A that is peered to VPC B. VPC A has outbound connectivity routed through an internet gateway and a NAT gateway (for enabling internet access for ec2 instances in our private subnet). VPC B only has a private subnet that has no internet access to it's local ec2 instances. According this documentation, it seems hopping internet connectivity between the two VPC's isn't supported across a peered connection:
https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html
This leads me to my question: Is it possible to enable internet connectivity with only a private subnet utilizing a NAT gateway? Or can this only be done in conjunction with a public subnet associated with an internet gateway, similar to VPC A? If this possible through other means, what are my options?
Best Answer
Your Private-only VPC can't have NAT gateway as NAT requires a public IP.
You can however give the instances in VPC B access to internet indirectly if you set up an Outbound Proxy in your VPC A. You can use for example Squid Proxy. That proxy will accept requests from VPC B instances and relay them to the internet.
Your instances in VPC B can then set
http_proxy=http://proxy.vpc-a:3128
andhttps_proxy=http://proxy.vpc-a:3128
and that way can reach the internet.The added benefit is that your Proxy can log all the traffic and also restrict access to websites according to a whitelist. That may be required in some regulated environments.
Hope that helps :)