AWS VPC - why have a private subnet at all?

amazon-web-services amazon-vpc

Solution 1:

It's a security boundary to have a private subnet that you can control with different security groups from the public subnet. If one of your instances in the public subnet were hacked, it will be that much more difficult to hack into instances in the private subnet if you are not too liberal in your access policies.

Solution 2:

As well as the security implications, there is also another aspect that comes into play: If you want to allow instances without Elastic IPs to access the internet, you might need 2 (or more) different subnets.

Paraphrasing the AWS documentation, within a VPC there a three ways to allow instances internet access:

  1. Elastic IPs - but you only get 5 by default I think, and then you have to pay for more
  2. Route traffic though a Virtual Private Gateway - this requires you to have a hardware VPN connection to your corporate (or home) network
  3. Setup a NAT instance and route all outbound traffic via the NAT

The third option is the interesting one in that the NAT instance has to sit inside a "public" subnet where all outbound traffic is routed to an Internet Gateway, but all other instances have to sit in a "private" subnet where all outbound traffic is routed to the NAT instance.

In short, if you're planning on using a NAT, you need at least 2 subnets.

Related

How safe are Windows Active Directory Schema Updates?
How to check postfix server using telnet
How to get free space from mounted drive Redhat 7
iptables nat does not exist
SSH session never closes when executing "apt-get install"
Where can I look up for the ntpd log?
How to safely kick out other users logged in as root?
Barracuda spam filter alternative - virtualization/appliance friendly?
Monitoring message delivery on Postfix (or Cyrus IMAP)
bash stuck at 3.2-24.el5 (Redhat)
Updating ALOM firmware Sun Fire v440
How to close a connection if the requested host isn't a virtual host in apache