I have a VPC on aws with a private subnet and a public subnet. I use the documented setup for this scenario, with a NAT instance.
It is advised on this link docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html to open TCP ports 22 the world; and 80 and 443 to the VPC. After trying to test the connectivity using ping from an instance on the private network, i realised that ping used icmp protocol, which is completely shutdown by this security group configuration. In fact, i can wget just fine. I have very little knowledge of what happens with ICMP, so my question is the following: Is it ok to block all ICMP connection to my NAT instance?
As a secondary question, I also should ask whether it is problematic to open all ICMP connection to my NAT instance.
Yes you can always block ICMP. It won't affect anything.
Also it's not safe to keep the port 22 open for the world. You can open port 22 for your home ip only when you need it.