Is a NAT instance required in every vpc?

Question

I have a hub and spoke model for infrastructure with a management vpc and 4-5 different environment vpc, peered to the management vpc.

I already have it set up but currently I only have 1 nat instance and 1 bastion host. Both of which are in the management vpc public subnet.

I wish to connect an instance in an environment vpc in a private subnet to this NAT instance to be able to reach the internet. Is that possible?

Note: I have the NAT/Bastion working correctly in the management vpc. I can reach all servers in both vpc with the Bastion host. I just can't get the above working.

My question is... is it possible? or do I need to set up an NAT in every vpc?

Answer 1

Edge to edge routing through a gateway (including the VPC Internet Gateway or IGW) is an unsupported VPC configuration with VPC peering.

Example: Edge to Edge Routing Through an Internet Gateway

Let's say you have a VPC peering connection between VPC A and VPC B (pcx-abababab). VPC A has an internet gateway; VPC B does not. Edge to edge routing is not supported; you cannot use VPC A to extend the peering relationship to exist between VPC B and the internet. For example, traffic from the internet can’t directly access VPC B by using the internet gateway connection to VPC A.

Similarly, if VPC A has a NAT device that provides internet access to instances in private subnets in VPC A, instances in VPC B cannot use the NAT device to access the internet.

Answer 2

Transit Gateway seems to fit for the case.

Transit Gateway Example: Centralized Router

The following diagram shows the key components of the configuration for this scenario. In this scenario, there are three VPC attachments and one Site-to-Site VPN attachment to the transit gateway. Packets from the subnets in VPC, A, VPC B, and VPC C that have the internet as a destination, route first through the transit gateway and then route to the VPN.