Great question—yes, you absolutely can use AWS CodeBuild in a private VPC with no internet or NAT gateway, as long as you configure the right VPC endpoints for the services CodeBuild needs to interact with. The documentation note about needing a NAT gateway applies to scenarios where you’re accessing AWS services via their public endpoints; VPC endpoints let you route traffic directly within AWS’s private network, bypassing the public internet entirely.

Here’s a breakdown of what you need to set up:

Required VPC Endpoints #

CodeBuild relies on several AWS services depending on your workflow, so you’ll need to create the corresponding VPC endpoints in your VPC:

• Amazon S3 (Gateway Endpoint)
  Critical if you’re storing source code, build artifacts, or build logs in S3. Gateway endpoints are free and route S3 traffic within the AWS backbone. Be sure to associate this endpoint with the subnets your CodeBuild project uses.

• Amazon CloudWatch Logs (Interface Endpoint)
  Needed to send build logs to CloudWatch. Interface endpoints use AWS PrivateLink—enable private DNS (recommended, so CodeBuild can use the standard logs.<region>.amazonaws.com domain without custom configuration).

• AWS CodeCommit (Interface Endpoint)
  If your source code is hosted in CodeCommit, this endpoint lets CodeBuild pull code without going through the public internet.

• Amazon ECR (Interface Endpoint)
  Required if you’re building Docker images and pushing them to ECR, or pulling base images from ECR.

• AWS Systems Manager (SSM) & SSM Parameter Store (Interface Endpoints)
  Useful if you’re fetching build parameters from Parameter Store, or using Session Manager to debug build instances.

• AWS Secrets Manager (Interface Endpoint)
  If your build uses secrets stored in Secrets Manager, this endpoint allows secure access without public internet.

Configuration Steps #

1. Create the VPC Endpoints
   In the VPC console, create each required endpoint. For interface endpoints, leave private DNS enabled (it’s checked by default for most services). Ensure each endpoint is associated with the subnets and security groups your CodeBuild project will use.

2. Configure CodeBuild Project VPC Settings
   When setting up or editing your CodeBuild project:

   • Select your private VPC
   • Choose the subnets where you created the VPC endpoints
   • Assign a security group that allows outbound HTTPS (443) traffic to the VPC endpoints (you can restrict this to the endpoint security groups or private IP ranges of the endpoints)

3. Verify IAM Permissions
   Make sure your CodeBuild service role has the necessary permissions for the services you’re using (e.g., s3:GetObject, logs:CreateLogStream, codecommit:GitPull). These permissions are identical to those used in a public environment—no special changes are needed for VPC endpoints.

4. Test the Build
   Run a test build to confirm everything works. Check CloudWatch Logs to ensure logs are being sent, and verify artifacts are stored in S3 (if applicable) without connectivity errors.

Key Notes #

• The NAT gateway requirement in the docs only applies when CodeBuild needs to access public AWS service endpoints or external internet resources. Since you’re using VPC endpoints, all traffic stays within AWS’s private network, so NAT isn’t needed.
• If your build requires access to external third-party resources (e.g., public npm packages, PyPI), you’d need a private mirror hosted in your VPC—but since your security policy blocks internet access, this is likely out of scope for your use case.

内容的提问来源于stack exchange，提问作者Tim van Beek