Using Private Subnets on AWS
Private subnets on AWS are supported, but please make sure to use the following settings:
- The private subnet for builder boxes need either a NAT instance or internet gateway configured for the outbound traffic to the internet.
- Enable VPC Endpoint for S3. This should significantly improve S3 operations for CircleCI and other nodes within your subnet
- Ensure that your NAT is adequately powered for heavy network operations. Highly parallel builds using Docker and external network resources can strain your NATs. This is very deployment-specific - but if you notice slowness in network and cache operations later, it’s time to upgrade your NATs.
- If you are integrating with https://github.com/, ensure that your network ACL whitelists github.com webhooks. When integrating with GitHub, we recommend setting up CircleCI in a public subnet, or setup a public load balancer to forward github.com traffic.
- Ensure that DNS is enabled for your VPC. Specifically,
enableDnsSupportmust be enabled, or you must otherwise ensure that DNS is configured correctly on your instances.