Internet routing through NAT instance in another VPC (in another organisation)

**There are few options that you can leverage **

• You can use GWLB, where you deploy GWLBE(Endpoint) in workload VPC and GWLB in network VPC. You can add fleet of appliances using GWLB. https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html
• You can use TGW as mentioned above, if you are planning to add more VPCs in the future
• You can also combine TGW and GWLB to scale and create resilient design. https://aws.amazon.com/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-load-balancer/

I believe you will have to use transit gateway if you want this setup to work.

You have a TGW interface on a dedicated subnet in the network account and configure the route table on that subnet to route to the NAT instance.

Then in the workload account set the default route to be the transit gateway.

There will be a little more setup for transit gateway but this is the way to achieve what you’re looking to do.

More info is here https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html

See Decentralized high availability NAT gateway architecture

Hi,

If my understanding is right, your use-case is very similar to an outbound proxy where you would like to do some whitelisting, filtering etc. if this was not the case, I am sure, you would have considered using a workload VPC NAT Gateway instead.

Building out an outbound VPC proxy with domain whitelisting and content filtering has been very well described in this blog below and this comes along with a Cloud formation template. I would suggest you to check this deployment and make any necessary adjustment [e.g. in your case your VPCs are peered]

https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/

Thanks