All posts
September 19, 20251 min read

The proxy refused to die.

We had built the CloudTrail query runbook to comb through events at scale, then found ourselves staring at a wall inside a VPC private subnet. No internet egress. No direct AWS API reach. Every path forward meant threading requests through a proxy we didn’t want to manage, but had to deploy with surgical precision. Deploying a proxy in a VPC private subnet is not just spinning up an instance. It’s about designing a path for controlled, auditable queries from your CloudTrail logs without breakin

Free White Paper

Database Proxy (ProxySQL, PgBouncer) + End-to-End Encryption: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

We had built the CloudTrail query runbook to comb through events at scale, then found ourselves staring at a wall inside a VPC private subnet. No internet egress. No direct AWS API reach. Every path forward meant threading requests through a proxy we didn’t want to manage, but had to deploy with surgical precision.

Deploying a proxy in a VPC private subnet is not just spinning up an instance. It’s about designing a path for controlled, auditable queries from your CloudTrail logs without breaking the isolation your network enforces. The runbook becomes the bridge.

First, define the scope. Private subnets mean no inbound traffic from the internet by default. To run CloudTrail queries in this model, a proxy deployment in the subnet must route authorized traffic to AWS endpoints. Use an autoscaling group or container orchestration if high availability is mandatory. Strip everything unnecessary. Load balancer optional, NAT gateway avoidable if you lock this to a single-purpose proxy tunnel.

Second, provision the proxy near your CloudTrail data sources, ideally in the same region and AZ to cut latency. Use minimal AMIs hardened for security. Bake IAM roles with custom policies granting read-only access to the CloudTrail bucket or CloudWatch Logs Insights as needed. Bind security groups to allow only whitelisted internal traffic paths.

Continue reading? Get the full guide.

Database Proxy (ProxySQL, PgBouncer) + End-to-End Encryption: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Third, encapsulate the runbooks as idiomatic IaC. Version every change. Each step in the deployment—from subnet mapping, to NAT configuration, to proxy bootstrap—should be reproducible from a clean slate with no manual tinkering. Think about failover early. If the proxy drops, the queries halt.

Fourth, test. Run a sequence of representative CloudTrail queries through the proxy path, watching for dropped packets, throttling, or hidden timeouts. Measure query performance from both inside the VPC and through the proxy to see the trade-offs your design imposes.

This pattern pays off when compliance or security policies forbid direct public queries. The proxy becomes the sole door, the runbook the lock and key. Done right, the footprint stays small, the control stays tight, and the queries stay fast.

If you want to cut weeks off setting up a production-ready pipeline like this, hoop.dev can take you there. See it live in minutes, wired for your private subnet, optimized for secure CloudTrail query runbooks, and ready for scale.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts