It is common for me to see VPCs that are unable to communicate with the public internet to achieve a “private” network. This is typically done to reduce the attack surface of the network, aiding in its security. For example, making it difficult to establish Command and Control (C2) channels, reducing public exposure of sensitive endpoints, preventing data exfiltration, etc. It is also quite simple to do, just don’t deploy resources such as an Internet Gateway.

For our home labs, we have a number of internal systems between the two of us including a number of web services. Originally, these were accessed over plaintext HTTP connections, or bypassing any certificate trust errors for HTTPS connections when connecting. However, we wanted to create a more secure setup. The problem was finding a way to do that without the shared CA infrastructure opening security holes elsewhere.