I have a service in us-east-2 and a VM in us-east-1. The VM in us-east-1 doesn't have a public IP but can reach the internet for egress and updates. The service in us-east-2 is also in a private network and exposed to the outside world via an application load balancer
I want to define the load balancer's security group such that only the VM in east-1 can access it. But since the VM doesn't have a public IP, how do I do it? The VM's security group is also not visible since it is in another region.
You can whitelist the IP address of the NAT gateway (or NAT instance, if you're using that instead). That IP address is static. Alternatively, you can set up VPC peering between the regions, then whitelist the address space associated with the VPC in us-east-1.