amazon-web-servicesamazon-s3amazon-vpcvpc-endpointaws-nat-gateway

how to create private VPC, but needs to be IP whitelisted (nat gateway?) and reduce S3/ECR cost (VPC endpoint?)


this may be a simple question for someone, but im just not able to figure it out.

I need to have a private VPC (for audit+compliance reasons). I connect to a few external services for which i need a common whitelisted IP address. This is only for one external service though..all other IP should not go through NAT gateway for saving costs.

Also - i use a huge amount of S3 and ECR bandwidth. So i want that access to s3 and ECR should happen through VPC endpoint.

is this possible to setup ? because it seems to be as one or the other. Can a VPC be configured to let some routes go through internet gateway ...some through NAT and some through VPC endpoint ?


Solution

  • is this possible to setup ? because it seems to be as one or the other. Can a VPC be configured to let some routes go through internet gateway ...some through NAT and some through VPC endpoint ?

    Yes, when you have a VPC Endpoint associated with your subnet, any network requests to that service (ECR for example) will be resolved by the VPC's DNS to an internal VPC address, and will go to the VPC Endpoint.

    Only network requests that resolve to an external address will go through the NAT Gateway.