AWS VPC - why have a private subnet at all?
Solution 1:
It's a security boundary to have a private subnet that you can control with different security groups from the public subnet. If one of your instances in the public subnet were hacked, it will be that much more difficult to hack into instances in the private subnet if you are not too liberal in your access policies.
Solution 2:
As well as the security implications, there is also another aspect that comes into play: If you want to allow instances without Elastic IPs to access the internet, you might need 2 (or more) different subnets.
Paraphrasing the AWS documentation, within a VPC there a three ways to allow instances internet access:
- Elastic IPs - but you only get 5 by default I think, and then you have to pay for more
- Route traffic though a Virtual Private Gateway - this requires you to have a hardware VPN connection to your corporate (or home) network
- Setup a NAT instance and route all outbound traffic via the NAT
The third option is the interesting one in that the NAT instance has to sit inside a "public" subnet where all outbound traffic is routed to an Internet Gateway, but all other instances have to sit in a "private" subnet where all outbound traffic is routed to the NAT instance.
In short, if you're planning on using a NAT, you need at least 2 subnets.