We now make it possible to run (part of) your Kubernetes and/or Concourse worker nodes in public subnets, if the situation requires it. However our default is still to deploy these instances in private subnets.
These nodes will get a public IP assigned, allowing them to communicate to resources on the Internet, without going through an AWS NAT Gateway. As always, to protect these kind of instances, as any other instance we deploy, they have Security Groups in place to ensure least required access.
This feature request was initially raised due to some of our customers having very high AWS costs for NAT processed data. Moving specific workloads to public subnets, ensures these costs stay under control.