amazon-web-services


Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?


So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).
The thing that puzzles me is this:
Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.
I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.
Compliance is one of the primary reasons one may choose to have
private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot
not be any public access
to the servers. When you create a public subnet, there is a
possibility of assigning a public IP address, which can make any
instance accessible from internet, (again as long as the security
group allows it).
Security Groups are a firewall provided at a logical level by AWS.
Creating a private subnet, ensures that even if an instance belongs
to a Security Group, that allows access to certain ports and
protocols, the server still won't be accessible publicly.
Another reason, you may choose for private subnets is to architect
your infrastructure in a way that all public servers are always in
the DMZ. Only DMZ has access to the internet. Every thing else is in
a private subnet. In the event something goes wrong, access to the
DMZ can be closed and further damage could be prevented.
The simple answer is... you're right!
You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.
People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Related Links

In Mechanical Turk, how do you limit to one HIT per worker
In the Amazon AWS API, how do you query if an item is Prime/Super Saver eligible?
how to get books information from amazon web service
architecture and tools for a remote control application?
As an experiment I want to work a bit with AWS. How much might I expect to pay?
Submit New Product Using Amazon Marketplace WebService
Amazon S3 object redirect
Amazon Elastic Map Reduce - Keep Server alive?
How can I script an alert for when my Amazon Web Service usage goes above a certain amount?
Emulating Amazon SQS during development
SimpleDB direct client access
Amazon EC2 High Availability Database Architecture
Amazon web services S3 and EC2 [closed]
save on cost when using Amazon EBS
All of a sudden, my Amazon FPS signature string is invalid
Enumerate keys in Amazon SimpleDB

Categories

HOME
events
artificial-intelligence
schema.org
kendo-dropdown
postgresql-9.4
enums
activemq
mathematical-optimization
kurento
anchor
swarm
xades4j
sslhandshakeexception
reselect
c#-7.0
mixpanel
fosuserbundle
home
raml
backtracking
multi-upload
rxjs5
jstree
jpa-2.1
network-analysis
history.js
annotation-processing
npoi
cube
amazon-iam
copy-protection
monitor
matlab-app-designer
commonsware-cwac
winrm
spring-rabbitmq
autoencoder
nppexec
pdfminer
nanogallery
installanywhere
sspi
utf
oauth2-playground
ejml
flipkart
optionaldataexception
gcal
axis
cyanogenmod
comm
amazon-elastic-beanstalk
extjs4.1
maven-jaxb2-plugin
pecl
perl-data-structures
allegro
deviare
nunit-console
jenkins-workflow
strpos
okta-api
psd
certificate-authority
servicestack-bsd
json-spirit
asp.net-web-api-helppages
blank-line
darwin
fuseesb
android-audiomanager
r.java-file
comctl32
n-tier-architecture
full-text-indexing
android-2.3-gingerbread
miglayout
pre
map
autonumber
yii-booster
sql-view
arel
donut-chart
tfs-sdk
2d-vector
tridion-2011
towers-of-hanoi
kolite
django-apps
servercontrol
representation
directshow.net
airprint
urchin
tso
autobench

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App