How to categorize this issue?
/area networking
/kind enhancement
/platform aws
What would you like to be added:
When a shoot cluster is created, user shall have possibility to add custom routes (e.g default route) so that one can divert egress traffic for cluster to another VPC/VPG/Transit Gateway in another VPC or firewall instances in same VPC. When custom route for default route is provided then Gardener shall not create any NATGW as it shall rely on existing routing to provide internet connectivity to Gardener seed.
Why is this needed:
By default Gardener creates NAT GW and default routes point to NATGW which allow unrestricted internet access to shoot clusters. This is security risk for many types of deployments where user wants to egress traffic via predefined firewall instances or other VPCs.
How to categorize this issue? /area networking /kind enhancement /platform aws
What would you like to be added: When a shoot cluster is created, user shall have possibility to add custom routes (e.g default route) so that one can divert egress traffic for cluster to another VPC/VPG/Transit Gateway in another VPC or firewall instances in same VPC. When custom route for default route is provided then Gardener shall not create any NATGW as it shall rely on existing routing to provide internet connectivity to Gardener seed.
Why is this needed: By default Gardener creates NAT GW and default routes point to NATGW which allow unrestricted internet access to shoot clusters. This is security risk for many types of deployments where user wants to egress traffic via predefined firewall instances or other VPCs.