Egress-only internet gateway basics
IPv6 addresses are globally unique, and are therefore public by default. If you want
your instance to be able to access the internet, but you want to prevent resources on
the internet from initiating communication with your instance, you can use an
egress-only internet gateway. To do this, create an egress-only internet gateway in your
VPC, and then add a route to your route table that points all IPv6 traffic
(::/0) or a specific range of IPv6 address to the egress-only internet
gateway. IPv6 traffic in the subnet that's associated with the route table is routed to
the egress-only internet gateway.
An egress-only internet gateway is stateful: it forwards traffic from the instances in the subnet to the internet or other Amazon services, and then sends the response back to the instances.
An egress-only internet gateway has the following characteristics:
-
You cannot associate a security group with an egress-only internet gateway. You can use security groups for your instances in the private subnet to control the traffic to and from those instances.
-
You can use a network ACL to control the traffic to and from the subnet for which the egress-only internet gateway routes traffic.
In the following diagram, the VPC has both IPv4 and IPv6 CIDR blocks, and the subnet both IPv4 and IPv6 CIDR blocks. The VPC has an egress-only internet gateway.
The following is an example of the route table associated with the subnet. There is a route that sends all internet-bound IPv6 traffic (::/0) to the egress-only internet gateway.
| Destination | Target |
|---|---|
| 10.0.0.0/16 | Local |
| 2001:db8:1234:1a00:/64 | Local |
| ::/0 | eigw-id |