amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

How to create AWS lambda function from local machine using AWS Ruby SDK
The security token included in the request is invalid
Kubernetes exposed service on EC2 not accessible
Why am I unable to fetch metric values for EC2 instances from cloudwatch?
Video download from Amazon S3 in India takes too much time
Feeding SQS Queues available in two different AWS Accounts
Terminate a set on EC2 instances by tags using AWS CLI
What are the best way to maintain a S3 bucket of Service Catalog products in AWS?
CloudFormation vieweing inactive/deleted change sets
r3.xlarge vs t2 Instance
Can we create local Docker IoT containers for a SMACK-like environment with DC/OS and push them to our AWS VPC - if so, how?
Monitoring services of EC2 Windows instance using AWS CloudWatch
Error creating Key Pair: You are not authorized to perform this operation
DynamoDB regularly recieve error: “The AWS Access Key Id needs a subscription for the service”
error while reading data from redshift in spark scala
Log monitoring setup options in AWS

Categories

HOME
spring-data
webview
mod-rewrite
adfs3.0
concurrency
devexpress
braintree
iverilog
android-emulator
nsis
liferay-7
openflow
tfs2015
linker
video-streaming
haxe
javafx-8
firebase-database
pyresttest
tweepy
sympy
kurento
twitter-oauth
texas-instruments
global-variables
sonicwall
reselect
asciimath
jqxgrid
xsl-fo
angular2-highcharts
akka-persistence
web-analytics
rxjs5
jstree
xdebug
amazon-cloudtrail
microprocessors
universal
seafile-server
cucumber-junit
identify
iscroll
assert
grunt-contrib-watch
icepdf
web-inspector
gestures
sigsegv
palindrome
mobile-angular-ui
pecl
http4s
boost-compute
cefpython
nclam
s-function
data-management
tsqlt
callouts
rails-engines
maximize
jemdoc
wif4.5
ioctl
json-spirit
juniper-network-connect
android-studio-import
auto-generate
mixins
mobilefirst-server
textscan
webproject
python-curses
vs-unit-testing-framework
libgcc
xcode6.3.1
distributed-r
nodeload
pre
mod-perl
smips
saga
hyphen
apache-shindig
mp4parser
objective-c-runtime
microformats
background-thread
2d-vector
dojo-1.9
system-requirements
semantic-merge
struts2-json-plugin
audiotoolbox
image-scanner
java.lang.class
firebird1.5
prototypal-inheritance
vows
qt-mobility
kext
simile
autobench

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App