As per this document, if I need to access internet resources from my Lambda function with VPC access, I need to set up a NAT gateway.
So I followed this guide to set up a NAT gateway. However, at the stage when I need to edit the route tables of my subnet to add an entry with destination: 0.0.0.0/0 and target as my NAT gateway's id, I got an error that
An entry with this destination already exists
I checked and noticed that for that existing entry, the target was an internet gateway for my VPC. If I replace that entry with the NAT gateway id, I cannot access any of the EC2 instances in that VPC through SSH from the outside world. How can I achieve a solution where all the EC2 instances in this VPC:
- Are accessible only via SSH and the rest of the traffic is blocked
- Are able to completely access other EC2 instances in the same VPC
- Lambda function having access to this VPC can access outside resources like SQS and Kinesis.