All posts
ConceptsOctober 16, 20251 min read

Kubernetes Access to a VPC Private Subnet Through a Proxy

Deploying a proxy for Kubernetes access into a VPC private subnet is direct, if you control the moving parts. The goal is simple: allow cluster workloads to communicate with private resources while keeping the subnet unreachable from the public internet. 1. Control the network paths. In AWS, create a private subnet inside your VPC. No internet gateway. No public IPs. Configure route tables to send traffic to a proxy host or NAT instance in a public subnet, or an internal jump proxy reachable ov

Free White Paper

Database Access Proxy + Kubernetes API Server Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Deploying a proxy for Kubernetes access into a VPC private subnet is direct, if you control the moving parts. The goal is simple: allow cluster workloads to communicate with private resources while keeping the subnet unreachable from the public internet.

1. Control the network paths.
In AWS, create a private subnet inside your VPC. No internet gateway. No public IPs. Configure route tables to send traffic to a proxy host or NAT instance in a public subnet, or an internal jump proxy reachable over peered connections. Kubernetes nodes in this subnet will reach the proxy only, never a public endpoint directly.

2. Deploy the proxy service.
Run the proxy as a Deployment or DaemonSet in Kubernetes, if the cluster can span subnets. Alternatively, place the proxy outside the cluster—on an EC2 instance or AWS Load Balancer—and point your pods to it with environment variables or sidecars. Use Nginx, HAProxy, or Envoy for HTTP(S), or SOCKS5 proxies for raw TCP. Ensure the proxy enforces ACLs so only authorized pods can send traffic.

3. Configure Kubernetes networking.
Update Service manifests to route external traffic through the proxy. If you use DNS, point service endpoints to the proxy host. With Istio or another service mesh, set egress rules to force all external calls through the proxy, keeping the source private subnet hidden.

Continue reading? Get the full guide.

Database Access Proxy + Kubernetes API Server Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

4. Secure everything.
Lock down security groups to allow only proxy traffic between Kubernetes nodes and target private resources. Enable TLS wherever possible. Monitor logs from the proxy for anomalies.

Example deployment flow:

  • Create private subnet in VPC.
  • Deploy Proxy host in public subnet or reachable peer.
  • Update route tables to point to Proxy.
  • Deploy pods with proxy configuration.
  • Test access to private endpoints.

Done right, this setup lets Kubernetes access a VPC private subnet through a proxy deployment with zero public exposure. Fast. Controlled. Auditable.

See how it works in minutes — run it live with hoop.dev.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts