amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

How to mask ip address after redirecting to another server?
AWS Directory Service not responding for DNS request from the same subnet
Kubeadm why does my node not show up though kubelet says it joined?
How to build nested variable in Ansible role
Setting policy for S3 bucket for authorized users
Random number after run a docker for ASP on AWS
Getting wrong results in aws cloud search
What are the problems when switch region on the Amazon web server?
Not able to Launch AMIs into EC2-Classic in AWS
How to work on Wowza media Engine in Aws
Autoscaling group application load balancer health checks
Getting Failed to Fetch error in AWS ec2
ElasticCache with Redis (Cluster mode enabled) dead-slow
aws ec2 container service - name in cloud formation
change DB name on parseserver deployed on AWS Elastic Beanstalk
Amazon S3: Files found while listing but missing during copy

Categories

HOME
cocoapods
generics
blast
functional-programming
angular-ui-grid
subdomain
loopbackjs
bing-search
jersey-2.0
moodle-api
elk-stack
apache-kafka-connect
visualforce
haxe
static-analysis
scrape
powermock
sonata
jpa-2.0
google-sites
cpu-usage
jitsi
error-logging
yii2-basic-app
ava
pyopencl
managed-c++
ccavenue
php-5.3
envoy
publishing
actframework
cucumber-junit
kendo-listview
amazon-kms
numerics
spinner
cordys-opentext
jslint
jade4j
xll
android-n
utf
resampling
flipkart
robust
swift2.3
django-static-precompiler
jgrapht
phppgadmin
spring.net
punctuation
embedded-v8
aurelia-fetch-client
dblink
word-2016
mpmovieplayercontroller
rational-performance-test
e
xmlbeans
openquery
uibinder
timestamping
polymerfire
teamviewer
godeps
html.actionlink
place
directx-9
ora-04091
knife
dynamics-ax-2012-r2
azure-xplat-cli
phonegap-facebook-plugin
operands
nidaqmx
libgcc
hyperloglog
reference-counting
jms-serializer
application-blocks
ctp
infinite
mute
notifyjs
multiple-dispatch
jquery-dialog
audiotoolbox
popup-blocker
websphere-6.1
kaazing
image-scanner
java.lang.class
representation
regression-testing
hungarian-notation
fgetc
ntruencrypt
tso
index.dat
iphone-sdk-3.1.3
error-detection

Resources

Encrypt Message