All posts
August 25, 20222 min read

Access VPC Private Subnet Proxy Deployment

Managing access to private subnets within a Virtual Private Cloud (VPC) is a fundamental step in securing modern cloud environments. Proxy deployments serve as a bridge, allowing controlled and auditable access to resources residing in private subnets, without compromising the underlying network. In this guide, we'll explore everything you need to know about accessing VPC private subnets using a proxy, from understanding the key components to deploying a simple, reliable solution. By the end, y

Free White Paper

Database Access Proxy + GCP VPC Service Controls: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Managing access to private subnets within a Virtual Private Cloud (VPC) is a fundamental step in securing modern cloud environments. Proxy deployments serve as a bridge, allowing controlled and auditable access to resources residing in private subnets, without compromising the underlying network.

In this guide, we'll explore everything you need to know about accessing VPC private subnets using a proxy, from understanding the key components to deploying a simple, reliable solution. By the end, you'll have actionable insights to streamline your workflow.

What is a Private Subnet in a VPC?

A VPC, or Virtual Private Cloud, is a logically isolated section of a cloud provider’s network where you can run resources. These resources include servers, databases, and applications. Private subnets within a VPC are designed to be inaccessible from the public internet. They allow securely isolated operations, ideal for sensitive workloads like processing datasets, running backend services, or housing secrets.

However, restricted connectivity also introduces challenges—namely, how do you access and manage those resources securely without exposing them publicly?

Why Use a Proxy?

A proxy acts as an intermediary to access private resources inside a VPC. Instead of opening the private subnet's connectivity to external networks directly, the proxy provides:

  • Enhanced Security: Only the proxy endpoint is exposed externally (if needed), reducing attack surfaces.
  • Granular Access Control: Proxies integrate easily with IAM policies or Role-Based Access Control (RBAC) to restrict access.
  • Logging and Monitoring: Every request to private resources is captured, aiding troubleshooting and compliance requirements.

Deployment Steps for Accessing VPC Private Subnets with a Proxy

Let's walk through practical, high-level steps to deploy a proxy for secure VPC private subnet access:

Continue reading? Get the full guide.

Database Access Proxy + GCP VPC Service Controls: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

1. Choose Your Proxy Solution

The proxy solution you choose depends on the tools and infrastructure you're using. Here are common options across cloud providers:

  • AWS Systems Manager Session Manager
    Navigate secure connections to resources in private subnets without bastion hosts.
  • NAT Gateway/Instance
    A Network Address Translation solution for lightweight internet-bound traffic.
  • Custom Proxies
    Examples: Nginx, HAProxy, Envoy. These are self-hosted and customizable to your network needs.

2. Private Subnet Setup

  • Create a private subnet within your VPC.
  • Allocate instances or services within this subnet. For example:
  • Application servers
  • Database instances
  • Ensure the subnet routing table excludes routes to the public internet.

3. Secure Network Access

Configure security group rules to prevent unauthorized traffic. Some key practices include:

  • Limit inbound/outbound rules to necessary IP ranges.
  • Allow traffic only from the proxy instance or associated ENI (Elastic Network Interface).

4. Deploy and Configure Your Proxy

For instances inside your private subnet to be reachable, deploy your proxy solution with appropriate IAM permissions and networking rules. Here's an example with a custom Nginx reverse proxy:

  1. Set up Nginx on a bastion host:
  • Install and configure Nginx.
  • Route traffic for specific private resources using location blocks.
  1. Connect the bastion host to the VPC:
  • Attach an Elastic IP (EIP) for easy external connection.
  • Enable private-link routing to forward requests to private subnets.

For managed cloud solutions like Session Manager, no need to maintain proxy infrastructure manually—just set up agent-based connectivity.

Key Considerations for Ensuring Success

When deploying a private subnet proxy, you should:

  • Avoid Open Access: Public IPs should not directly access the private subnet.
  • Automate and Audit: Use Infrastructure-as-Code (IaC) tools like Terraform to manage your proxies, and enable logs to monitor access patterns.
  • Test Connectivity: Validate that the proxy correctly handles routes and that connections to private instances succeed as expected.

Bringing Speed and Simplicity to Private Subnet Proxies

The process of securely accessing private subnets can be daunting, especially with the meticulous configurations required. This is where Hoop.dev comes into the picture.

Hoop offers a consistent, automated way to connect your teams to any resource in your environment—without babysitting configuration files or setting up independent proxies. See our streamlined approach in action and start unlocking private subnet access in minutes.

Take the next step and try it out today.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts