amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

Using JMeter to load/test Amazon SQS - Not all messages making it through
Amazon SQS sub-queues
How to get ec2 metadata to reflect the new hostname?
What happens if the number of workers is > number of shards when using KCL with AWS Kinesis streams?
Automatically move files between 2 differents aws account with lambda
How to reconfigure user accounts correctly while deploying meteor app using mup
Cloudformation “AWS::EC2::SecurityGroup” object with the Reason “No default VPC for this user”
What is the minimal set of outbound rules required of the master/slave security groups for an EMR cluster?
How to add and mount volumes for EC2 instance with Ansible
gradle-aws-plugin elasticbeanstalk how to deploy uploaded version
Find out EC2 instance associated with Elastic Beanstalk Application?
AWS load balancer route the traffic to different instances based on IP addresses
Amazon SQS as IoT message entrypoint
Cloudformation: Reference Created Subnets in ElastiCache SubnetGroup
How do I limit access to S3 Bucket for particular IAM Role?
Best practice for obtaining the credentials when executing a Redshift copy command

Categories

HOME
amazon-web-services
elasticsearch
orientdb
macos-sierra
automapper
opencv-python
bots
enums
swi-prolog
windows-10
embedded-resource
apache-kafka-connect
navigation
facebook-android-sdk
fedora
firebase-dynamic-links
specifications
driver
freertos
nest-api
word2vec
pickle
ratio
react-dnd
web-push
cellular-network
network-analysis
ibm-connections
fusion
envoy
d3.js-v4
instructions
steam-web-api
nsmutablearray
shapeless
counting
serversocket
bean-validation
rails-postgresql
love2d
recovery
extbase
praat
vungle-ads
expandablelistview
return-type
xcglogger
asp.net-web-api-routing
ptvs
dex
swiperefreshlayout
.when
zend-server
oracle-fusion-apps
ipywidgets
s-function
fuzzer
apache-pig-grunt
persistent-object-store
ioctl
deeplink
msgpack
lowercase
asp.net-web-api-helppages
blank-line
wso2ml
espresso
supercomputers
bootstrap-wysiwyg
pass-by-value
iodocs
coding-efficiency
jini
zend-search-lucene
pageviews
wso2bam
accountmanager
jchartfx
roxy-fileman
nosql-aggregation
code39
particle-swarm
quickgraph
microformats
jquery-lazyload
jbox2d
tfs-sdk
oembed
system-requirements
clearinterval
java.lang.class
fbml
jquery-1.4
regression-testing
ninject-interception
multiple-users
uninstaller
yahoo-maps
processors
external-sorting
isapi-redirect
bindable-linq

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App