1. 在 VPC 中创建两个子网：公共子网和私有子网。将 EC2 实例放置在私有子网中。

resource "aws_subnet" "public_subnet" {
  vpc_id     = "vpc-123456789"
  cidr_block = "10.0.1.0/24"
}

resource "aws_subnet" "private_subnet" {
  vpc_id     = "vpc-123456789"
  cidr_block = "10.0.2.0/24"
}

2. 为私有子网创建 NAT 网关，并将公共子网与 NAT 网关关联。

resource "aws_nat_gateway" "nat_gateway" {
  allocation_id = "${aws_eip.nat_eip.id}"
  subnet_id     = "${aws_subnet.public_subnet.id}"
}

resource "aws_route_table" "private_route_table" {
  vpc_id = "${aws_vpc.vpc.id}"
}

resource "aws_route" "nat_route" {
  route_table_id = "${aws_route_table.private_route_table.id}"
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id = "${aws_nat_gateway.nat_gateway.id}"
}

resource "aws_route_table_association" "private_subnet_association" {
  subnet_id = "${aws_subnet.private_subnet.id}"
  route_table_id = "${aws_route_table.private_route_table.id}"
}

3. 将需要访问私有子网的 EC2 实例与私有子网的安全组关联。安全组应允许来自公共子网的访问。

resource "aws_security_group" "private_security_group" {
  name_prefix = "private"
  description = "Security group for private subnet"
  vpc_id = "${aws_vpc.vpc.id}"
}

resource "aws_security_group_rule" "private_ingress_rule" {
  type        = "ingress"
  security_group_id = "${aws_security_group.private_security_group.id}"
  from_port   = 0
  to_port     = 65535
  protocol    = "tcp"
  cidr_blocks = ["${aws_subnet.public_subnet.cidr_block}"]
}

resource "aws_instance" "private_instance" {
  subnet_id = "${aws_subnet.private_subnet.id}"
  vpc_security_group_ids = ["${aws_security_group.private_security_group.id}"]
  ami = "ami-123456abcdef"
  instance_type = "t2.micro"
}