When it comes to the NAT Gateway, we create Database Services, which we call the Data Plane (an Oracle instance, for example) in a VNet/Subnet. The Tessell agents that run on this DB Service need to communicate outbound with our Control Plane for various purposes (send out metrics information, get tasks to perform Database life cycle operations, etc.). Now in order for our Tessell Agents to talk to our services in the Control Plane, they need a path to go from the Data Plane on said VNet/Subnet to the Control Plane in environments that only contain private addresses and do not have public IPs bound to the Data Plane, the NAT gateway is the component that provides that path from Data Plane to Control Plane. It’s the communication conduit from the Tessell agents on the running VM in the Data Plane to the Control Plane components that are hosted in the Tessell account.
From a security perspective, the NAT gateway helps mask the IP addresses of VMs that are initiating the network connection. These VMs are the DB Services VMs. This helps protect the internal IP structure of your VNet/Subnet, making it harder for potential attackers to identify and target specific resources within your network. The NAT Gateway facilitates outbound connections from the DB Service VM to the Tessell Control Plane, ensuring that no inbound connections from the internet are allowed. This significantly reduces the attack surface, as the DB Service VM is not exposed directly to the internet. In addition to the above, it provides centralized logging and auditing of all outbound traffic.
The above scenario describes a situation where Data Plane/Control Plane traffic is traversing the internet. Tessell can also provide a more secure method for this communication between the Data Plane and Control Plane, leveraging Private Links and Private Endpoints, thus eliminating the need for NAT gateways altogether. This is because using Private Link/Endpoints will provide direct connectivity between the Data Plane and Control Plane, thus removing the need for internet traversal.