Why do we need private subnet + NAT translation on AWS? Can't we use a public subnet + a properly configured security group?
Thus, the purpose of private subnets in AWS is that its instances cannot be directly accessed from the outside world. However, there are cases (successfully resisted "instances" puns) in which it is useful for the instances to have access to the Internet. One such use case might be downloading software updates, for example.
The "standard" way to achieve this would be with a NAT gateway and a rule in the routing table indicating all outgoing traffic (0.0.0.0/0 → nat-gw).
What puzzles me is this : Can't we use a public subnet with a properly configured Security Group (SG) that denies inbound traffic and allows certain outbound traffic? Since the SGs are healthy, they must be able to respond to outbound traffic just like a NAT gateway.
I am guessing that I am just missing something, or that the above configuration is limited in some way that I simply cannot see. However, I cannot find an answer to this question.
source to share
- Compliance is one of the main reasons why you can choose private subnets. Many companies, especially financial institutions, have strict adherence to the requirements when not to be open access to servers. When you create a public subnet, there is the option of assigning a public IP address, which can be instance accessible from the Internet (again, as long as the security group allows it).
- Security Groups is a logical firewall provided by AWS. Creating a private subnet ensures that even if the instance belongs to a security group that provides access to specific ports and protocols, the server will still not be publicly accessible.
- Another reason you can choose for private subnets is to architect your infrastructure so that all public servers are always in the DMZ. Only the DMZ has access to the Internet. Everything else is on a private subnet. In the event that something goes wrong, access to the DMZ can be closed and further damage can be prevented.
source to share
Simple answer: you are right!
You can run everything on a shared subnet and use security groups to control traffic between instances and restrict inbound access from the Internet.
People use public and private subnets because this is how networks were traditionally designed when firewalls only existed between subnets. Security Groups are an additional layer of security that works in the Elastic Network interface, but a little scary and new for many network professionals (including people who develop compliance requirements).
source to share