EC2 - How to route outbound traffic through a single public IP

Solution 1:

Yes, you can use either a NAT Gateway or a NAT instance, in conjunction with an ELB... and that is the most sensible way to whitelist your internally-initiated, outbound traffic with external services.

A NAT gateway always has a static public IP address.

You must [...] specify an Elastic IP address to associate with the NAT gateway when you create it.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html

This configuration requires that the instances NOT have public IP addresses of their own, and NOT be on a public subnet with the default route pointing to Internet Gateway. The default route for the instance subnet needs to point to the NAT device, once it's configured.

In turn, this means your ELB cannot be on the same subnet as the instances, since the ELB subnet MUST have the Internet Gateway as its default route.

Response traffic from the instances is directed at the ELB's internal IP address, so it's not affected by the instances' subnet's default route, thus this configuration does not break reply traffic to ELB requests.

As strange as it seems to some, it is the standard configuration to place the ELBs on different subnets from the instances behind them. Unlike a conventional network where the router can be a bottleneck, there is no negative performance consideration related to the ELB and its balanced instances being on different subnets from each other. The entire VPC network is a software-defined, virtual network, so being on different subnets does not mean the traffic will be going through an unnecessary router, as it would mean on a physical Ethernet network. All traffic between instances follows a similar path through the VPC infrastructure.

See also Why do we need private subnets in VPC? on Stack Overflow.