Public vs Private Subnets and SNAT?

[hardillb]

When I created my cluster it appears to have automatically created 2 subnets per Availability Zone e.g.

• eksctl-foo-cluster/SubnetPrivateEUWEST1A
• eksctl-foo-cluster/SubnetPublicEUWEST1A

The only difference I see between the 2 is that the SubnetPublic has a Internet Gateway and the SubnetPrivate has a NAT Gateway.

As far as I can see none of the SubnetPrivate instances are attached to anything at the moment.

All the node groups I've created have the SubnetPublic added and outbound traffic from pods on those nodes comes from the IP address of EC2 node.

I'm wanting to limit the outbound traffic to a known list of IP addresses (to allow for stricter inbound connection filter for a bunch of external services). In this case I'd like it to be the external IP address of the NAT gateway on the SubnetPrivate.

Am I right in assuming if I create a new node group and pass in the ids of the SubnetPrivate then this should get me what I want?

e.g creating a new node group as follows eksctl create nodegroup --config-file=static-ip-ng.yml

apiVersion: eksctl.io/v1alpha5
kind ClusterConfig

metadata:
  name: foo
  region: eu-west-1

managedNodeGroup:
  - name: static-ip-ng
    instanceType: t4g.small
    minSize: 1
    maxSize: 10
    desiredCount: 1
    subnets:
      - subnet-xxxxxxx
      - subnet-yyyyyyy
      - subnet-zzzzzzz

where subnet-xxxxxxx, subnet-yyyyyyy and subnet-zzzzzzz are the ids for the SubnetPrivate subnets?

EDIT:

Having played with this it appears that you need to include privateNetworking: true as well