An Internet Gateway may be attached to a Virtual Private Cloud to enable direct connectivity to other Cloud Services services, and to the Internet. Each instance desiring this access must either have an Elastic IP associated with it or route traffic through a NAT instance. Additionally, network routes are configured to direct traffic to the Internet Gateway. Cloud Services provides reference NAT AMIs that can be extended by customers to perform network logging, deep packet inspection, application-layer filtering, or other security controls.
This access can only be modified through the invocation of APIs. Cloud Services supports the ability to grant granular access to different administrative functions on the instances and the Internet Gateway, therefore enabling the customer to implement additional security through separation of duties.