I'm working with an EC2 instance that's in a VPC limited to private subnets. I need to send requests to a 3rd party SaaS, but there's no public subnet available in my VPC or account, and I can't create one. Is there a way to get internet access from this instance? I thought about using a NAT Gateway, but I believe it requires a public subnet to route the traffic. Any suggestions?
5 Answers
Essentially, you’ll need to create some public access point. Without that, it’s impossible to get any public connectivity. It’s a catch-22 situation; not having a public subnet means you can’t access the internet.
If you have to have internet access, you'll need to provision it somehow. An x-acct transit gateway could work, or you might explore tunneling through a direct connect setup. Ultimately, having a public IP somewhere is essential to get out there.
I've dealt with SaaS providers that use PrivateLink or IPsec VPNs compatible with AWS. If your SaaS supports IPv6, you could also explore using an IPv6 egress-only gateway, but that’ll still require a public subnet.
You’ll probably need to check in with your security and networking team. They might have to justify the request and potentially connect your VPC to a transit gateway to facilitate internet access via a centralized egress account. It's worth looking into!
Yeah, but it gets expensive with NAT fees. It's annoying how it raises the costs just to get internet connectivity.
You definitely need some sort of public subnet because that’s how you typically get access. One alternative could be to set up a Lambda function with a VPC endpoint as a proxy to handle the requests for you.
What about using CloudFront instead? Combine it with a security group that allows traffic through, and you might bypass the need for a NAT gateway altogether.