dhruv's wiki

Add private subnets to existing VPC

Resources

Setup

Usecase

You need to run Fargate service(s) in private subnets, but they don't exist yet. The containers (running on ECS) need to be able to make outgoing network calls.

Let's say the CIDR of the VPC is 172.31.0.0/16. More about CIDRs here: [[cidr]]

Solution

First of all, the private subnet(s) need NAT gateway(s) to forward network traffic to the VPC's Internet Gateway. Create a public subnet in the VPC if it doesn't already exist, and then create a NAT gateway in this subnet.

Let's say the CIDR of the public subnet is 172.31.0.0/20.

Then, create a private subnet in the VPC.

Let's say the CIDR of the private subnet is 172.31.48.0/20.

Once created, its route table will need to be modified (or maybe a new route table will have to be created). The primary thing to note is that this route table needs to have a route where the destination of 0.0.0.0/0 points to the target of the NAT gateway created before. This means that all network packets that are intended for the public internet will be sent to the NAT gateway, which will then forward them to the Internet Gateway (for that VPC).

route-table

Once all of this is set up, the ECS containers in the private subnet will be able to make outgoing calls to the public internet.