I have two VPCs: A and B.
I want any node in A to be able to open a TCP connection to any node in B, but not the other way around. Any node in B must also be able to open outgoing connections to public internet hosts. What is the best way to achieve this?
Use case: VPC A contains many sensitive internal services, and VPC B contains nodes that run completely untrusted code. VPC A needs to make HTTP requests to VPC B, but none of the internal services must be exposed.
VPC peering allows direct connections between any nodes in A and B – this cannot be restricted on a routing level. Security groups can be used to block outgoing connections, but is slightly tricky to configure since there is no DENY rule.
Network ACLs aren't useful here, since return traffic must be allowed back from B -> A.
Are there any other options? Something like a NAT gateway, that only allows opening connections in one direction? AWS does support private NAT gateways, but I cannot find any documentation for a configuration like this.
Best Answer
I didn't read your answer in detail but it seems a bit off. I don't know why you're using NAT gateways at all, they're purely to allow instances in private subnet to access the internet.
A key here is the single direction communication which strongly suggests security groups are the answer. My solution (without thinking too hard would be):