Air-Gapped Deployment VPC Private Subnet Proxy Deployment

Deploying in secure, isolated environments is essential for many organizations handling sensitive data or operating in regulated industries. One effective way to ensure security and control is to use an air-gapped deployment setup within a Virtual Private Cloud (VPC) using private subnets and proxies. This guide explores the key concepts, steps, and best practices for implementing an air-gapped deployment with a VPC private subnet proxy setup.

What is Air-Gapped Deployment?

An air-gapped deployment is a network architecture where systems operate in isolation, without direct internet access. This setup is widely adopted for environments requiring strict security, ensuring no data leakage or unauthorized access. Systems are updated or configured using controlled methods like whitelisted, tightly monitored proxies, or manual transfers.

When combined with a VPC and private subnets, air-gapping provides additional layers of isolation. By restricting traffic to and from the internet and routing traffic through a proxy, this architecture protects workloads and mitigates external risks.

The Role of a VPC and Private Subnets

A Virtual Private Cloud (VPC) is a logically isolated section of the cloud provider’s network. Inside a VPC, private subnets are sections designed to host resources that do not have public IP addresses. Resources within private subnets cannot directly communicate with the public internet unless specifically configured to do so.

Benefits of private subnets in air-gapped deployments:

Continue reading? Get the full guide.

Database Proxy (ProxySQL, PgBouncer) + GCP VPC Service Controls: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Control over traffic flows: No direct internet access reduces attack surfaces.
Enhanced security: Segmented environments add a barrier between sensitive workloads and external threats.
Custom routing rules: Enable tailored access patterns through proxies or NAT gateways.

Adding a Proxy to the Mix

For cases where some internet connectivity is needed (like retrieving updates or sending logs externally), a proxy server bridges the gap. The proxy enforces strict rules on what kind of traffic is allowed. Here’s how it works in this setup:

Outbound traffic control: All requests from private subnet resources go through the proxy, which can whitelist specific domains, protocols, or destinations.
Audit and visibility: Monitored traffic gives administrators insights into what is being accessed.
Centralized management: Applying security policies at the proxy simplifies compliance.

Proxies serve as a gatekeeper, making air-gapped environments versatile without sacrificing security.

Step-by-Step Guide: Deploying Air-Gapped VPC with Private Subnet Proxy

Follow these steps to create an effective deployment:

1. Design the VPC Structure

Create a new VPC with no internet gateway attached, ensuring the network is isolated.
Define at least one private subnet where sensitive workloads will reside.
Add one public subnet if the proxy server requires external connectivity for outgoing requests.

2. Set Up a Bastion Host (Optional)

If external administrative access is necessary, configure a bastion host in a public subnet.
Use security groups to limit connections to the bastion.

3. Deploy a Proxy Server

Place a proxy server (e.g., Squid or a managed solution offered by your cloud provider) in the public subnet.
Route all traffic from private subnet resources to the proxy.
Configure whitelist destinations and logging rules in the proxy settings.

4. Control Routes and Security Groups

Define strict security group rules to ensure only allowed traffic flows between subnets and out to the internet through the proxy.
Update the route tables of private subnets to send outbound traffic to the proxy.

5. Test and Audit

Validate that resources in private subnets cannot directly connect to the internet.
Use observability tools to ensure all the expected traffic is routed via the proxy with no leaks.

Best Practices for Air-Gapped Deployments with Proxies

Minimize Whitelisted Destinations: Allow only necessary endpoints through the proxy for updates or telemetry.
Harden the Proxy: Use authentication, encryption, and access control lists (ACLs) to secure proxy access.
Leverage IAM Policies: Use fine-grained Identity and Access Management (IAM) policies to limit resource actions inside the VPC.
Regular Audits: Continuously monitor traffic logs for aberrations or unauthorized activity.

Why Use This Architecture?

This architecture is designed to safeguard your workloads without compromising flexibility. Whether you’re running workloads that handle sensitive personal information, proprietary algorithms, or critical intellectual property, an air-gapped VPC private subnet with a proxy provides the control and visibility needed to stay secure and compliant.

Even in industries where "air-gapped"traditionally meant complete disconnection, using a restricted proxy provides just enough connectivity to gain operational efficiency—while preserving the security-first principles.

See It in Action with Hoop.dev

Implementing an air-gapped deployment often requires precise tooling to simplify tests, workflows, and policies. With Hoop.dev, you can streamline creating air-gapped environments in minutes, ensuring you balance security with operational agility. See how it works and bring secure deployments to life today!