kalrish
Get rid of NAT
NAT is required to allow outbound traffic over IPv4 while disabling incoming connections, i.e. to access the Internet from private subnets. Currently, it is used and needed only by the CodeBuild project (the AMI build instance which it spawns resides in the public subnet), so it would be nice to get rid of it.
The way to go is IPv6. Since the address space is so large, there's no need for NAT. Instead, our private subnet would sit behind an egress-only Internet gateway, which also blocks unsolicited connections and has the added benefit that it doesn't bottleneck the subnet's connection to the Internet.
In my tests, CodeBuild is able to pull its environment from the ECR repository over IPv6. GitHub doesn't support IPv6, but it's possible to package the sources in a ZIP archive and upload them to an S3 bucket and have CodeBuild download them through a gateway endpoint. However, neither SSM nor EC2 seem to be reachable over IPv6, which effectively blocks this route. Although it would be possible to overcome this with an interface endpoint, it is too expensive to make sense for this use case.
Additionally, if it were possible to connect to the distribution's package repositories, as well as to those of Steam, over IPv6, we could move the AMI build instance itself to the private subnet, thereby gaining improved security while leaving Internet connection bandwidth intact.
