Thank you very much for the detailed answer. Really enjoyed reading on how things work behind the scenes. My assumptions came from using the terraform vpc module, which as a default creates a nat gateway for each private subnet, which I assumed to be a sensible default... But, indeed when using the internet gateway to provide internet access to nodes, it is possible to reach them from outside (even if they are in private subnets). So, either a single nat gateway or a ec2 instance replacing the nat gateway are the only sensible solutions here.
↧