Great question—this is a super common pain point when working with strict zero-internet security policies. The short answer is yes, you absolutely can use AWS CodeBuild with only VPC endpoints and no public internet/NAT gateway—you just need to configure the right set of endpoints and adjust your build pipeline to avoid external internet dependencies.

Here's the step-by-step breakdown: #

1. Create the required VPC endpoints #

CodeBuild interacts with several AWS services under the hood, so you'll need to create interface or gateway endpoints for each of these in your VPC:

• CodeBuild Interface Endpoint: com.amazonaws.<your-region>.codebuild – lets your VPC communicate directly with CodeBuild's control plane.
• S3 Gateway Endpoint: Required for CodeBuild to access build artifacts, source code stored in S3, and build logs (if you use S3 for logs). Make sure your S3 bucket policies allow access from this endpoint, and your subnet route tables have a route pointing to the S3 prefix list (pl-xxxx) via the gateway.
• CloudWatch Logs Interface Endpoint: com.amazonaws.<your-region>.logs – if you're using CloudWatch for build logs (the default), CodeBuild needs this to send log data.
• ECR Endpoints (if using private images): If your build uses Docker images from Amazon ECR, you'll need two endpoints:
  • com.amazonaws.<your-region>.ecr.api (for API calls)
  • com.amazonaws.<your-region>.ecr.dkr (for Docker pull/push operations)
• Additional endpoints (if needed): If your build uses AWS Secrets Manager, Systems Manager Parameter Store, or other AWS services, add their respective interface endpoints too.

2. Configure your CodeBuild project for VPC access #

In your CodeBuild project settings:

• Select your target VPC, subnets, and security groups.
• Ensure your security groups allow outbound traffic to the private IP ranges of your VPC endpoints (or use AWS service prefix lists for broader, managed access).
• Disable any settings that would force internet access (e.g., don't configure a public IP for build instances).

3. Adjust your build environment to avoid internet dependencies #

Since you have no internet access, you can't pull public packages or images directly. Work around this by:

• Using private ECR images that include all your build dependencies (pre-packaged with npm/pip/apt packages you need).
• Hosting private package repositories (like npm, PyPI) in S3 or AWS CodeArtifact (and adding the CodeArtifact endpoint if you use it).
• Storing all source code in AWS services accessible via VPC endpoints (S3, CodeCommit—add the CodeCommit endpoint if using that).

4. Verify your setup #

• Test endpoint connectivity from a test EC2 instance in your VPC: Run nslookup codebuild.<your-region>.amazonaws.com – it should return private IP addresses (not public ones).
• Run a minimal build (e.g., a simple echo "Hello World" task) to confirm CodeBuild can start the instance, execute the build, and send logs to CloudWatch without internet access.

A note on the official documentation #

The AWS CodeBuild docs mention needing a NAT gateway when using a VPC—that's the default scenario where builds need to pull public dependencies or access the internet. But if you lock down all dependencies to AWS services reachable via VPC endpoints, you can completely avoid the need for NAT.

内容的提问来源于stack exchange，提问作者Tim van Beek