amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

How to create folder on S3 from Ec2 instance
ERROR: The puppet master service failed to start within 120 seconds; unable to proceed
Is there a way to create buckets and set CORS only using Javascript(in browser)?
How to see spark executing status in yarn-cluster mode on AWS
Can't access my kubernetes services even after exposing it with LoadBalancer
Can't access Https on AWS EC2 Ubuntu
AWS read replicas architecture
Get SSL/TLS certificate on Amazon EC2 server
AWS: how to create a private subnet to the default VPC
How to change settings for logrotate in AWS Elastic Beanstalk docker instances
update list element in dynamodb
COPY Command JSONPaths w/ Multiple Credentials
aws-sdk for Lambda not up to date?
Making API request of AWS in POSTMAN
AWS allow policy to create tags for instances on a particular VPC
How to programmatically check if an EC2 instance has finished reboot?

Categories

HOME
jboss
functional-programming
windows-8.1
eclipse-plugin
softlayer
windows-10
dafny
gentelella
moodle-api
msmq
lda
game-maker
stimulsoft
squirrel-sql
distributed-computing
rpmbuild
pickle
varnish-vcl
adminlte
sybase-ase
chronicle-queue
restier
ratio
react-dnd
android-service
history.js
onchange
amazon-cloudtrail
spring-annotations
sfml
boolean-logic
dnsmasq
matlab-app-designer
premake
seafile-server
sca
quickcheck
nest
devtools
creation
orchardcms-1.8
ms-solver-foundation
mv
cloudera-quickstart-vm
strapi
recovery
google-now
plane
angular-datatables
web-inspector
julius-speech
linq-to-excel
uiautomatorviewer
phppgadmin
node-apn
solr-query-syntax
datediff
simple-schema
htmlspecialchars
nivo-slider
portability
dtd
petsc
haraka
tsqlt
spring-mongo
msbuild-4.0
raw-sockets
between
nsdata
deferred-rendering
adp
jemdoc
gridbaglayout
currency-exchange-rates
openmrs
certificate-authority
pack
domino-designer-eclipse
web-api
shell-extensions
smacss
xml-signature
window-resize
jack
iosched
strcmp
infinite
insertion
days
chefspec
proc-open
examine
android-dialog
border-box
trialware
acpi
dynamic-c
getopts
rtd
webresponse
cassini
raw-data
wmd-editor
regioninfo

Resources

Encrypt Message



code
soft
python
ios
c
html
jquery
cloud
mobile