amazon-web-servicesnetwork-programmingamazon-vpcprivate-subnetaws-nat-gateway

AWS private subnet with NAT gateway and VPC PrivateLink: which one will be used?


Say I have an ec2 in a private subnet with access to the internet through a NAT Gateway and I have VPC endpoints (PrivateLink) for AWS services like DynamoDB or SNS. If my ec2 instance needs to interact with those services, it will use the private link or the NAT Gateway? In other words, the traffic will go on the public internet or will stay inside the VPC?


Solution

  • In other words, the traffic will go on the public internet or will stay inside the VPC?

    It will go to interface endpoint. And the reason is that aws chooses more specific (longest prefix match) route when there is more than one choice where to direct traffic. So if VPC has to decide between 0.0.0.0/0 for NAT and interface endpoint address, interface endpoint will be prioritized.

    You can easily check it yourself. Place interface endpoint in your private subnet which has route to NAT. Then black all incoming traffic to the interface endpoint using its security group. What you should see is that you are unable to access the service of the interface endpoint, even though there is NAT gateway.