amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

Amazon elastic compute cloud
Purchase on Amazon via API
AWS CloudSearch - is there a limit to the number of stopwords and synonyms you can add?
Amazon WS: VPC to VPC connection without VPN?
What is the difference between Amazon SNS and Amazon SQS?
Quick way to clone a production RDS instance
Does Amazon RDS support other storage types than EBS?
Having issues adding ephemeral storage to an AWS EBS instance running Ubuntu
working with multiple amazon ws accounts
Drupal with Amazon Web Services?
Boto AWS Glacier - Retrieve archive
Unable to RDP to EC2 instance
Is it possible to do a temporary upgrade of an AWS micro instance to test what would be ok?
How do I get data storage used on my AWS RDS?
AWS Elastic Load Balancing, how to point a subfolder to a blog?
cloudControl addons as separate services [closed]

Categories

HOME
openshift
events
magento2
powerbi
blast
long-integer
concurrency
dafny
theano
initialization
typeerror
magento-2.0
liferay-7
tfs2015
ontology
openfoam
impala
cocotb
jpa-criteria
hspi
lda
migrate
cqrs
feature-extraction
phonegap-build
gravity
jaspersoft-studio
batch-rename
device
jstree
hevc
spring-annotations
basic-authentication
openbr
netbios
argv
commonsware-cwac
markov-chains
cmis
char-pointer
busboy
data-uri
reverse-dns
vesta
head.js
sharpdx
winston
winmerge
mongodb-aggregation
rcharts
openerp-6
annotatorjs
portal
ipywidgets
spring-mongo
conan
ajaxmin
wicked-pdf
uibinder
vimperator
taco
smart-tv
enaml
apple
hmisc
360-degrees
rfc5545
mutators
pass-by-value
storing-data
loginview
lsa
ggts
san
disjoint-union
eager-loading
axacropdf
spiral
oembed
linkbutton
system-requirements
server-name
kobold2d
kolite
data-dump
representation
kohana-auth
grails-validation
jmenu
raw-data
iphone-sdk-4.3
cleartype
aspbutton
icon-language
isapi-redirect
error-detection

Resources

Encrypt Message