All posts
September 5, 20252 min read

Deploying a Secure Proxy for Private Subnets in AWS VPC with CLI

The VPC was silent. No public endpoints, no open ports, just a wall of private subnets waiting for a way out. You need AWS CLI to stitch this together. Private subnets, a secure proxy, and a way to push it live without exposing the internal network. The goal is clear: deploy a secure service inside an isolated VPC using a proxy that tunnels outgoing requests without breaking architecture rules. Start with the VPC. Use aws ec2 create-vpc to define the CIDR block. Then create private subnets tie

Free White Paper

Database Proxy (ProxySQL, PgBouncer) + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The VPC was silent. No public endpoints, no open ports, just a wall of private subnets waiting for a way out.

You need AWS CLI to stitch this together. Private subnets, a secure proxy, and a way to push it live without exposing the internal network. The goal is clear: deploy a secure service inside an isolated VPC using a proxy that tunnels outgoing requests without breaking architecture rules.

Start with the VPC. Use aws ec2 create-vpc to define the CIDR block. Then create private subnets tied to the right Availability Zones. No route to the internet except through a proxy or NAT. Keep everything small. Keep it exact.

For the proxy, you can run an EC2 instance with a hardened AMI. Configure its security group to allow only necessary ingress from the private subnet CIDRs. Assign it to a public subnet, attach an Elastic IP, and lock it down. For outgoing connections, point your private instances to this proxy. You can configure this via the AWS CLI by setting up route tables that push 0.0.0.0/0 through the proxy ENI.

Continue reading? Get the full guide.

Database Proxy (ProxySQL, PgBouncer) + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Deployments from the private subnet work if you pipe traffic through this controlled exit. Use AWS Systems Manager Session Manager for shell access without opening SSH. Use AWS Secrets Manager for storing proxy credentials. Keep the IAM policy locked to the services and resources required.

A sample CLI flow:

aws ec2 create-vpc --cidr-block 10.0.0.0/16
aws ec2 create-subnet --vpc-id vpc-xxxxxxxx --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
aws ec2 create-subnet --vpc-id vpc-xxxxxxxx --cidr-block 10.0.2.0/24 --availability-zone us-east-1b
aws ec2 create-security-group --group-name proxy-sg --description "Proxy SG"--vpc-id vpc-xxxxxxxx
aws ec2 authorize-security-group-ingress --group-id sg-xxxxxxxx --protocol tcp --port 3128 --cidr 10.0.0.0/16

For production, automate with scripts that run from CI/CD. Use tags to track environments. Always monitor CloudWatch metrics for proxy instance CPU and network throughput.

When done right, you end up with complete control. A VPC that never talks to the public internet directly. Private subnets that deploy workloads behind a secure proxy. The AWS CLI makes it predictable, repeatable, and fast.

You can stop wrestling with endless configurations. You can see this exact pattern running live. Build the whole stack and deploy your VPC private subnet proxy in minutes with hoop.dev.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts