We have a requirement to setup a proxy in private subnet that will whitelist the websites and connect to NAT gateway. How can this be achieved in terms of routing, etc?
1 Answers
Your proxy EC2 instance needs internet access despite being in a private subnet. That means tha the subnet’s route table will have to point to the NAT Gateway for destination 0.0.0.0/0. The instance’s security group will have to allow outbound connections to any destination (you could restrict the ports), and inbound connections on the squid service port from the proxy clients.
Allow the squid clients to connect to the proxy instance security group on the access port (by default security groups are fully open for outbound comminications)
There is a gotcha: Unfortunately NAT Gateways do not support security groups, if you enable routing via the NAT Gateway from that private subnet, any instance in that subnet with a security group that allows unrestricted outbound communications will have access to the Internet via the NAT Gateway. You have to solve that (perhaps via NACLs or strict outbound security groups on the other instances).