amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

AWS API gateway Custom Authorizer
AWS CodeBuild GetAuthorizationToken failed
How to stop an index of Amazon Elasticsearch service?
AWS - How to create encrypted Aurora read replica of encrypted MySQL DB?
SQSlistener not receiving messages
AWS Athena data input location
AWS lambda create-function accepts only one environment variable
Credential should be scoped to a valid region, not 'us-west-1' using AWS SES
AWS CloudFormation: Is it possible to Update Stack to recreate DB resources without data loss
AWS: is there a simple way to get ip from private dns name?
AWS Cloudformation failing to acknowledge AutoScalingGroup
Build container found dead before completing the build. Build container died because it was out of memory, or the Docker image was missing glibc
S3 hosting over CloudFront is serving application/octet-stream instead of HTML
Scaling ActiveMQ on AWS
S3 bucket with same CNAME as app?
Filter log streams in aws cloudwatch

Categories

HOME
jboss
plesk
keyboard
yaml
ontouchlistener
systemd
dafny
code-formatting
website
iptables
tibco
repair
msmq
locationmanager
sap-fiori
spring-amqp
jquery-file-upload
twisted
phonegap-build
asciimath
boomi
cloudsim
multiple-tables
wsf
jitsi
anova
coreldraw
rxjs5
channel
strophe.js
crud
ibm-connections
windows2012
reporting
john-the-ripper
android-collapsingtoolbar
custom-keyboard
apptentive
db2-luw
rails-postgresql
cargo
code-rally
cartopy
imgur
hdiv
vb.net-to-c#
flipkart
latexml
type-inference
gcal
rightnow-crm
return-type
knockout-2.0
exc-bad-access
stateless-session-bean
dynamics-crm-4
cognos-tm1
fitbit
trust
grinder
arbre
mousehover
embeddedwebserver
shoes
nssortdescriptor
subview
string.format
password-recovery
smacss
dmake
visual-studio-6
aho-corasick
two.js
rails-api
rautomation
yii-booster
mp4parser
disjoint-union
tnt4j
objective-c-runtime
jquery-cycle
django-filebrowser
session-0-isolation
prefuse
datacontracts
tablet-pc
photo-management
chunking
self-tracking-entities
main-method
gtktextview
prism-2
isapi-redirect

Resources

Encrypt Message