amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

Create Device Pool returning None repsonse - AWSCLI
Trying to Access Ec2 Got Error Public Key
AWS CloudSearch Filter on non-indexed field
In an AWS CloudFormation template, how can I place an EC2 instance in the subnet determined by a Spot Fleet?
AWS Lambda and zip upload from S3
Chat App on AWS: EC2 (eJabberd XMPP) vs RDS (Relational Database) vs other options? [closed]
In what scenario , the No-VPC option available while creating a DB-Instance Through Amazon RDS. Under Network and Security Option
Configuring HTTPS on elastic beanstalk (single instance) of Tomcat
Aggregation by a compound field (copy_to) not working on Elasticsearch
AWS - How to Connect Elastic Beanstalk to Private RDS Instance
distcp: How to avoid flattening dir if there's only one file in hdfs to s3 copying
AWS billing with python
Is there a substantial delay in operationalization when pointing Route 53 purchased DNS to Elastic IP & EC2 instance
amazon-ecs-agent is always restarting
IAM Roles and instance profile
launch a shell script from lambda in aws

Categories

HOME
extjs
firebase
memory
macos-sierra
kendo-dropdown
workflow
semantic-web
elisp
qooxdoo
vue-resource
flurry
ontology
stored-procedures
ui-automation
phpseclib
tup
lc3
migrate
fasm
watch-os-3
csrf
tiff
fresco
web-deployment
jaspersoft-studio
renderscript
nullreferenceexception
tableview
multi-upload
amazon-sns
rxjs5
ava
react-dnd
opentext
password-generator
tf-idf
oracleforms
miniprofiler
materialize
dotcms
location-services
delayed-job
char-pointer
wdk
subclassing
assertions
love2d
macports
elastica
selenide
task-parallel-library
jacoco-maven-plugin
music21
webalizer
sharpdx
deedle
network-protocols
1010
alertify
cognos-tm1
gawk
streamwriter
jsonix
ndk-build
decoder
nvda
gcloud-node
between
nsdata
perforce-integrate
timestamping
jeditable
verisign
trust
flush
ioctl
srv-record
embeddedwebserver
bootstrap-wysiwyg
text-align
html-escape-characters
htmltidy
fat32
dos2unix
quantify
category-theory
treeline
air-native-extension
radius-protocol
jms-serializer
map
ggts
grails-2.3
unrealscript
virtual-channel
google-code-prettify
background-thread
mmc3
fork-join
tablet-pc
hungarian-notation
tabbarcontroller
firephp
jquery-effects
motif
community-server
error-detection

Resources

Encrypt Message



code
soft
python
ios
c
html
jquery
cloud
mobile