amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

How do you get EC2 instance's ssh user using boto?
How do I get the server name with aws ec2 describe-instances
How do I get unique values of a column in AWS Dynamo?
AWS S3 grant access to single IAM user
Is it possible to disallow Instance creation from AMI with Production tag in a non-production environment?
nGinx server_name with regex always being caught (ec2)
Get the AMI ID of an AMI created with Ansible
Amazon Route 53 nameservers change failing
Linkedin asks for sign-in verification in my AWS remote desktop
Trouble with Elastic Beanstalk (AWS)
Why ec2 instances get metadata over REST?
Temporarily disable AWS auto-scaling group activities
Ipython notebook remote server on AWS
How can we access Relation Database System from other regions in Amazon Web Services
Restricting S3 bucket access to a VPC
How to start/cancel Simple Workflow Service timer?

Categories

HOME
vagrant
haproxy
jersey-2.0
nsis
liferay-7
share
capistrano
driver
heuristics
amazon-emr
bootstrap-switch
live-streaming
stimulsoft
cuba-platform
twisted
pywinauto
user-defined-types
workday
eclipse-emf
pyopencl
vuforia
unordered-multimap
fstar
history.js
react-bootstrap-table
bobo-browse.net
materialize
locks
premake
universal
appcode
pdfminer
installanywhere
assemblies
netapp
jqgrid-asp.net
liteide
sony-future-lab-n
solr-query-syntax
iptv
subforms
winmerge
nivo-slider
lvalue
business-rules
haraka
nsrunloop
zynq
jenkins-workflow
accessibilityservice
currency-exchange-rates
wikimedia-commons
ajax4jsf
grinder
android-mapview
stack-smash
openshift-cartridge
wlanapi
com0com
kognitio-wx2
dnsjava
qt5.4
tabris
maven-central
pageviews
radius-protocol
windows-taskbar
lsa
jmenubar
codahale-metrics
ldif
pacman
sly-scroller
tfs-sdk
android-authenticator
office-app
red-system
jsplitpane
daap
msinfo32
netstream
acpi
type-safety
django-apps
filelock
jquery-1.4
git-log
explicit
bucket
powergui
source-code-protection
database-cloning
objectinstantiation

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App