Restricting traffic between AWS VPCs
I have two VPCs: A and B.
I want any node in A to be able to open a TCP connection to any node in B, but not the other way around. Any node in B must also be able to open outgoing connections to public internet hosts. What is the best way to achieve this?
Use case: VPC A contains many sensitive internal services, and VPC B contains nodes that run completely untrusted code. VPC A needs to make HTTP requests to VPC B, but none of the internal services must be exposed.
VPC peering allows direct connections between any nodes in A and B - this cannot be restricted on a routing level. Security groups can be used to block outgoing connections, but is slightly tricky to configure since there is no DENY rule.
Network ACLs aren't useful here, since return traffic must be allowed back from B -> A.
Are there any other options? Something like a NAT gateway, that only allows opening connections in one direction? AWS does support private NAT gateways, but I cannot find any documentation for a configuration like this.
I didn't read your answer in detail but it seems a bit off. I don't know why you're using NAT gateways at all, they're purely to allow instances in private subnet to access the internet.
A key here is the single direction communication which strongly suggests security groups are the answer. My solution (without thinking too hard would be):
- VPC peering between the two VPCs, different CIDR ranges
- Route table in both VPCs to enable communications
- Security groups in VPC A to allow outgoing traffic to VPC B CIDR ranges, but not incoming. This will allow outward traffic and return traffic but not traffic initiated in VPC A
- Security groups in VPC B allow incoming traffic from VPC A CIDR, but does not allow outgoing. This lets traffic in and lets it return but does not let traffic initiated in A to get to B
- Internet gateway in VPC B. If you don't need the internet to reach into VPC B then you can use a NAT gateway in VPC B.