Egress-Only Internet Gateway (EIGW)

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301380

Refresher: differences between IPv4 and IPv6 in AWS

IPv4 → addresses are private or public
- Private resources cannot communicate with public internet/NWs (not directly)
- Public resources have a publicly routable IPv4 address that works in both directions
  - In absence of security filtering, public resources can access public internet and be accessed from public internet
IPv6 (in AWS) → addresses are public-only

NATGW/NAT instances:
1. Allow resources with private IPv4 addresses to access public services & public internet
2. Side effect: do not allow externally initiated connections into private services
NAT exists to address limitations of IPv4 address space
- ❗ NAT doesn't work with IPv6
- NAT's side-effect/extra functionality of blocking externally initiated connections cannot be applied the same way to IPv6 as to IPv4

🔧 Outbound-only (and response) connections for IPv6 resources
- Connections can be initiated from VPC, but not from public NWs to VPC
- ❗ ONLY for IPv6 resources, NOT necessary for IPv4 resources!
- With a normal IGW, IPv6 resources would be “exposed” to public internet
Similar architecturally to normal IGWs:
- Regionally resilient, HA by design across all AZs used by the VPC
- Traffic-based scaling
- Stateful
Route Table in subnet: Default IPv6 route (::/0) has EIGW as target
Architecture Diagram