All posts
September 15, 20252 min read

AWS CLI Profiles for VPC Private Subnet Deployments

I once spent three days trying to push bytes through a wall that didn’t exist. The wall was an invisible VPC boundary, a private subnet without a direct route to the outside world, guarded by every AWS best practice we swore we’d follow. The fix wasn’t magic. It was precision. And it started with AWS CLI-style profiles. When you deploy into a VPC private subnet, network paths are intentional. No reaching into public space without design. You have to decide your proxy story before the first pack

Free White Paper

AWS IAM Policies + GCP VPC Service Controls: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

I once spent three days trying to push bytes through a wall that didn’t exist. The wall was an invisible VPC boundary, a private subnet without a direct route to the outside world, guarded by every AWS best practice we swore we’d follow. The fix wasn’t magic. It was precision. And it started with AWS CLI-style profiles.

When you deploy into a VPC private subnet, network paths are intentional. No reaching into public space without design. You have to decide your proxy story before the first packet leaves. For many, that means a bastion or VPN. But when using AWS CLI-style profiles, you can chain credentials and endpoints so the right commands hit the right networks every time.

Profiles let you switch identities and regions without touching global configs. They allow local dev to behave like cloud-native infra—clean separation, easy rotation, repeatable automation. No guessing which key you’re using. In private subnets, they become essential for routing CLI commands via proxies or SSM session tunnels.

Deploying through a proxy in a private subnet starts with a clear route table and NAT strategy. Configure your NAT Gateway or SSM port forwarding target. Then export or embed proxy variables that align with your AWS CLI profile. For example, HTTP_PROXY and HTTPS_PROXY can be scoped at the shell level to a single profile execution, avoiding cross-profile leaks. Always verify connectivity with low-level CLI commands before running high-level deploys.

Continue reading? Get the full guide.

AWS IAM Policies + GCP VPC Service Controls: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The trick is reproducibility. A proper AWS CLI profile tied to a VPC endpoint or proxy jump host can be versioned in your tooling repo. That means anyone can run the same deploy, from anywhere, without breaking the security perimeter. It also means CI/CD runners can act as if they’re inside the private subnet, even when they’re not—by routing through the defined proxy target.

Test each hop. Keep your IAM scoped to minimum privileges for the subnet’s resources. Define your security groups with surgical rules. The smaller the attack surface, the fewer surprises when scaling deployments. Logging verbose requests in CLI will help you trace exactly where connections originate and fail.

When the right CLI profile meets the right proxy route, private subnet deployments stop being pain and start being muscle memory. You run one command. It just works. Every time.

If you want to architect this without scaffolding for weeks, you can do it in minutes. See it live with a full AWS CLI-style profile and VPC private subnet proxy deployment pipeline at hoop.dev — and skip the three days of invisible walls.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts