amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

aws ec2 describe-instances command not working
Migrating of DNS from GoDaddy to AWS
monitor ec2 instances lifecycle
How do I view the requests submitted to my AWS web service?
ElastiCache doesn't show automated backups
Why does eb cli crash when initializing multi environment
AWS-cli ec2 describe instances
Calling AWSCognito signup from lambda function
How to tell if an IP address in Amazon's cloud is static?
Access Internet from AWS VPC instance without public IP address
Terminating SSL at an AWS ELB instance
How to mount AWS EFS to Macbook or local computers
How to install an older version of PHP on Amazon EC2?
Supervisord in Docker + AWS Elastic Beanstalk can't accept non-alphanumeric environment variables
Aws elastic search implementation with postgres database
How can I make make my Jenkins server on AWS reachable by my Github webhook?

Categories

HOME
protocol-buffers
xcode
schema.org
workflow
theano
ios-simulator
biztalk
android-emulator
consul
mirc
clone
fedora
graphql-js
sharepoint-online
roku
hystrix
nexus3
freertos
stimulsoft
spring-jpa
mailgun
android-contacts
nullreferenceexception
spring-ldap
pymongo
perfino
firemonkey-style
dragula
high-availability
ccavenue
code-climate
bonita
tightvnc
progid
rust-cargo
actframework
rspec-rails
knights-tour
om-next
mongoengine
markov-chains
love2d
twilio-php
forms-authentication
django-crispy-forms
strapi
telephonymanager
sspi
jacoco-maven-plugin
vb.net-to-c#
vungle-ads
haar-classifier
morphline
react-intl
wysihtml5
libreoffice-writer
nothing
.when
mechanicalturk
rustdoc
yargs
elastic4s
cefpython
thread-exceptions
always-on-top
declarative
swiffy
textblock
django-redis
verisign
as3-api
myfaces
json-spirit
nette
bjam
erlog
rfc5545
python-c-extension
dos2unix
famo.us
lifetime
n-tier-architecture
dc
webautomation
rpg
nachos
mod-perl
compiler-flags
saga
san
unrealscript
insertonsubmit
bcdedit
chefspec
gprof
multiscaleimage
msinfo32
opends
mmc3
differentiation
tablet-pc
dip
android-2.1-eclair
urchin
eai
efs
chronic

Resources

Database Users
RDBMS discuss
Database Dev&Adm
javascript
java
csharp
php
android
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App