If I have a private subnet inside my VPC in AWS, the only way to allow traffic from my subnet to the world (like going to the Ubuntu registry to patch something in an EC2 instance) is with a NAT gateway?
I was wondering about an EKS cluster security design.
To allow traffic to the cluster I must use a loadBalancer, so there's a single entry point and I'll handle the traffic with nginx ingress or whatever.
All instances that EKS will launch will reside inside a VPC that has only private subnets.
In this scenario, my cluster cannot go outside to do anything. So I have to assign a NAT Gateway with an elastic IP address...
But... is this the only way to allow my subnet to reach the outside world (of course without turning it into a public subnet with an Internet Gateway)?
You have to use some sort of network address translation (NAT) to allow resources with only internal, private IPs, to access the Internet with a public Internet IP. You can build your own NAT using an EC2 instance, or probably find some pre-built EC2 images that do that on the AWS Marketplace, but it is much easier to add an Amazon managed NAT Gateway to your VPC for this purpose.
Allowing resources in private subnets to access resources outside the VPC is the entire purpose of NAT Gateways.