Login/Register
Why do we need a Private Subnet + NAT translation in AWS? Can't we just use a Public Subnet + a properly configured security group?
Asked Answered
Solved amazon-web-servicesamazon-vpcnatsubnetaws-security-group
V

2

17

So the purpose of private subnets in AWS is for its instances to not be directly accessible from the outside world. There are however cases (successfully resisted the 'instances' pun) in which it's useful for the instances to have access to the internet. One such use-case may be to download software updates for example.

The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table pointing all outbound traffic to it (0.0.0.0/0 -> nat-gw).

The thing that puzzles me is this: Can't we just use a public subnet with a properly configured security group (SG) that denies inbound traffic and allows specific outbound traffic? Since SGs are stateful, they should allow the response to the outbound traffic to go through, just as a NAT gateway would.

I assume I'm just missing something, or that the above configuration is limited in some way that I'm just not seeing. However I can't find an answer to this.

Veronica answered 15/5, 2017 at 17:42 Comment(3)
"Can't we just use a public subnet with a properly configured security group " -->For every problem, there are many possible solutions. There are multiple reasons why "different subnets (private or public)" could used, like scalability & support large number of resources/IPs, zoning to mitigate risks and compliance requirements etc., If you don't care (or) don't have any of these requirements you are free to architect whichever way you would like.Snowdrop
So what then, would be a reason not to do this (aside from outside compliance reasons)? I'm just trying to get a better grasp of the situation and gain the ability to discern when this is appropriate and when it isn't.Veronica
As I commented, if you have any requirements like I listed, which most of the big corporations have, then you would choose private + public subnet approach. If you have just single (or) couple of EC2 instances most of the times, just go with public subnet + SG. So, concrete answer for which approach depends on lot of factors. In summary, answer for this question is NOT just dependent on technical stack, non-tech circumstances play major part.Snowdrop
H
12
  1. Compliance is one of the primary reasons one may choose to have private subnets. A lot of companies, especially financial institutions, have strict compliance requirements where there cannot not be any public access to the servers. When you create a public subnet, there is a possibility of assigning a public IP address, which can make any instance accessible from internet, (again as long as the security group allows it).
  2. Security Groups are a firewall provided at a logical level by AWS. Creating a private subnet, ensures that even if an instance belongs to a Security Group, that allows access to certain ports and protocols, the server still won't be accessible publicly.
  3. Another reason, you may choose for private subnets is to architect your infrastructure in a way that all public servers are always in the DMZ. Only DMZ has access to the internet. Every thing else is in a private subnet. In the event something goes wrong, access to the DMZ can be closed and further damage could be prevented.
Hollingshead answered 15/5, 2017 at 20:19 Comment(1)
... What is DMZ??Similitude
A
12

The simple answer is... you're right!

You can certainly launch everything in a Public Subnet and use Security Groups to control traffic between the instances and to restrict inbound access from the Internet.

People use public & private subnets because this is the way that networks were traditionally designed, when firewalls only existed between subnets. Security Groups are an additional layer of security that works at the Elastic Network Interface, but that's a bit scary and new for many networking professionals (including people who design compliance requirements).

Apathy answered 15/5, 2017 at 23:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.