[Feature] Add support for more network configurations

[p8r-the-gr8]

Hi,

It would be great if all of the following networking configurations could be supported by mapt:

• airgapped (already supported)
• private with NAT Gateways (already supported)
• public
• private with NAT Instances
• user-configured

The new modes in a bit more details

Public

In this mode, only a public subnet is created with an Internet Gateway.
Security Group and other security features could/should still be used to secure the instance(s).

This approach could benefit workloads not requiring the level of isolation provided by private subnets.
Deployments would be faster.
Architecture would be simpler.
Costs would be greatly reduced.

Private with NAT Instances

This mode would work very similarly to the current "private with NAT Gateways" mode with one exception:
Instead of creating a NAT Gateway, an EC2 instance would be created and configured to perform the same role in the network stack.

The benefits of this approach is to keep the isolation level while greatly reducing costs associated with NAT Gateways.
This is ideal for dev/test/staging/etc workloads that don't require the same guarantees and performance as production deployments.

There are several open-source projects with the aim to reduce the downsides of this approach (failover support, healthchecking, etc) and automate the deployment and configuration.

One such project is the alterNAT Terraform module.
For information on the features and architecture of the project, see its project page.

I tested this project with both its native Terraform tool but also with Pulumi (using Pulumi's Terraform module compatibilty):
https://github.com/p8r-the-gr8/alternat-playground

User-configured

This mode would leave the network creation up to the user.
As such, the user could use any other tool (or even manual work) to create the desired networking setup, be that as complex or simple as necessary, and supply the VPC ID, subnet IDs and any other details to mapt.

[adrianriobo]

hey @p8r-the-gr8 great initiative, I would start creating issues for it....

The first I would go with is the public .. as you can check https://github.com/redhat-developer/mapt/blob/main/pkg/provider/aws/modules/network/network.go I though I introduced some changes in the past to avoid creation of nat at all.... but I must dream it...as I could not find the code anywhere...so probably you would need the change that code a bit... I think that is the easiest way to start for you

For the private I found this... which may simplify it.... https://github.com/scottslowe/learning-tools/tree/main/aws/nat-instance-pulumi the base for this is use https://fck-nat.dev/stable/ which should provide you an AMI to run the ec2 with this Nat installed on it...it is may worthwhile here to create a spike...as you should ensure the AMI is available on all regions.... and if that is the case..should be easy to use this AMI as Nat to reduce the cost...

And I would tackle User configured as the last option...but IMO when you reach that feature ..you probably will have all networking module modified and by your hand so add this would be pretty easy....

May I would ask for a bonus we were pursuing for long time ... which is same as private with Nat but instead of Nat or in conjunction with it is to add an ec2 instance acting as proxy to allow test targets where connectivity is handle through a proxy

[adrianriobo]

You can check for private nat other options such https://pabis.eu/blog/2025-06-03-AWS-NAT-Instance-from-scratch-simplified.html here an standard AMI is being used

[adrianriobo]

Actually with my latest change I enabled the low cost option where machines are deployed on Public Subnet and no NatGateway is created at all...but I landed the module for allow:

• NoNat
• SingleNat (several privates but only 1 Nat in one public)
• HANat ( each public has Nat, typical HA topology)
• CustomNat..here it will go your custom Nat on an ec2

I also was thiking that it may make sense to reduce the access on the public subnet ..i.e. may remove 22 port. (for kind and Openshift-snc) ..unless you specify debug param

[adrianriobo]

I assigned this to you @p8r-the-gr8 hopefully is fine