I am using Jenkins within Kubernetes and spinning up dynamic slaves as EC2 instances, each of which is assigned a random IP on startup.  One of my requirements is to channel all slave egress traffic through a single IP so it can be whitelisted on internal databases and applications.

This is easily accomplished with a NAT Gateway, however, it means the slaves should be stood up in a private subnet.  The current UI only allows selection of a Region and Availability Zone.  My Kubernetes cluster spans multiple AZs, and Jenkins can be running in any one of them at any time.  If I choose 'ap-southeast-2a' as the AZ in the UI, but Jenkins is running in 'ap-southeast-2c', the slave cloud does not start citing mismatch in AZ.

What I'd like to do is set aside a subnet specifically for slaves within the same VPC as the Kubernetes cluster that is configured to route through a NAT Gateway and target it specifically in the UI Cloud setup.

Targeting a specific subnet_id is possible via a Groovy script, however, this means the private key is in plain text in the file on the server.  Would it be possible to add the 'subnet_id' field in the UI?