0

this may be a simple question for someone, but im just not able to figure it out.

I need to have a private VPC (for audit+compliance reasons). I connect to a few external services for which i need a common whitelisted IP address. This is only for one external service though..all other IP should not go through NAT gateway for saving costs.

Also - i use a huge amount of S3 and ECR bandwidth. So i want that access to s3 and ECR should happen through VPC endpoint.

is this possible to setup ? because it seems to be as one or the other. Can a VPC be configured to let some routes go through internet gateway ...some through NAT and some through VPC endpoint ?

Sandeep
  • 1,745
  • 3
  • 20
  • 30
  • 1
    Yes, you can do that. But I'm not sure what is your issue? Did you try anything? If yes, what exactly did you do? Why it does not work. – Marcin Jun 21 '22 at 10:26
  • @Marcin not sure. i tried it with a very vanilla ECS+Fargate setup (running Airflow). here is what i created - https://github.com/sandys/tf-ecs-airflow/blob/main/terraform/vpc.tf – Sandeep Jun 21 '22 at 17:28

1 Answers1

0

is this possible to setup ? because it seems to be as one or the other. Can a VPC be configured to let some routes go through internet gateway ...some through NAT and some through VPC endpoint ?

Yes, when you have a VPC Endpoint associated with your subnet, any network requests to that service (ECR for example) will be resolved by the VPC's DNS to an internal VPC address, and will go to the VPC Endpoint.

Only network requests that resolve to an external address will go through the NAT Gateway.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • running all the traffic through nat gateway is more expensive than a internet gateway right ? so can we also have a IGW that takes most of the traffic and only some traffic goes through nat gateway and vpc endpoint ? – Sandeep Jun 21 '22 at 18:37
  • Yes, you will need public and private VPC subnets, and deploy resources to either the public or private subnet depending on if you want their traffic to go through the NAT Gateway, or directly through the Internet Gateway. In both sets of subnets you can configure the VPC Endpoints as well. – Mark B Jun 21 '22 at 18:39