Is there any risk from the outside to open up all traffic to instance without public ip?
We have a vpc 4 tunnels form 4 different location, and a nat for internet access. Inside this vpc is an instance with no public ip address. Everything communicates by private ip.
Since its okay if every internal machine has access to it, is it OK for me to allow all traffic from 0.0.0.0/0?
Is there any risk to it from the outside?
A security best practice is to block all traffic and explicitly allow only traffic to known services from certain locations. (This is how EC2 security groups function.) It may seem ok now but if an instance were to have a public IP address at some point in the future it could potentially open your entire VPC up to the world. I highly recommend that you restrict the traffic.