AWS vpc documentation change
Summary
Clarified private NAT gateway restrictions to specify blocking of unsolicited inbound connections from other VPCs/on-premises networks
Security assessment
Enhances documentation about security features by precisely defining network traffic restrictions, helping users avoid misconfigurations. No evidence of addressing a specific vulnerability.
Diff
diff --git a/vpc/latest/userguide/vpc-nat-gateway.md b/vpc/latest/userguide/vpc-nat-gateway.md index 3200e9a0f..aa647f298 100644 --- a//vpc/latest/userguide/vpc-nat-gateway.md +++ b//vpc/latest/userguide/vpc-nat-gateway.md @@ -13 +13 @@ When you create a NAT gateway, you specify one of the following connectivity typ - * **Private** – Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway, but the instances can't receive unsolicited inbound connections from the internet. You can route traffic from the NAT gateway through a transit gateway or a virtual private gateway. You can't associate an elastic IP address with a private NAT gateway. You can attach an internet gateway to a VPC with a private NAT gateway, but if you route traffic from the private NAT gateway to the internet gateway, the internet gateway drops the traffic. + * **Private** – Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway, but the instances can't receive unsolicited inbound connections from the other VPCs or the on-premises network. You can route traffic from the NAT gateway through a transit gateway or a virtual private gateway. You can't associate an elastic IP address with a private NAT gateway. You can attach an internet gateway to a VPC with a private NAT gateway, but if you route traffic from the private NAT gateway to the internet gateway, the internet gateway drops the traffic.