You need a NAT. This configuration is commonly used to support private subnets in VPC, there’s quite a detailed guide here. Once your VPC is configured to use the NAT instance all the outbound traffic will be attributed to the EIP of the NAT instance.
If so, does that instance need to be solely for this purpose or can it
be one of the instances that’s running my app?
Technically you probably could, but it’s not a good idea:
- It’s good security to have roles isolated.
- You want your application servers to have similar or identical load profiles. If one instance has an extra 10% load because of the NAT then you’ll have to scale up prematurely when you hit the limits of that instance. This will get worse as the NAT gets busier as more instances get added to your cluster.
- You want your application servers to be identical and ephemeral so you can tear them down and/or replace them whenever there’s an issue or you need to scale. Having one application server which is different to the rest would be a major headache.
You might be able to get away with it if your instances are containerised but it’s still probably not a great idea.
Also keep in mind that your NAT instance could be a single point of failure, so you may want to think about redundancy.