-1

Hi I have a quick question,

i tried to build 1 ubuntu web server instance in AWS with config like below: 1 Ubuntu instance with 2 network interfaces which 1 interface for public (http and https) (eth0) and the other one is for mgmt console (ssh:22) (eth1) and each of the interface have elastic IP.

for security groups config:

eth0 have inbound for port 80 and 443 from any ip
while eth1 have inbound for port 22 from any ip

below is my interface - VPC config.

- public interface (eth0) and mgmt interface (eth1) is at the same VPC but different subnet.

eth0 is at public subnet with public route table (local and internet gateway)
eth1 is at private subnet with public route table (local and internet gateway) *later i will change with pvt subnet and allow access only through vpn.

so now the question: above is not working... any idea why? or if you can see what i trying to achieve, then do you have a better idea or design?

thank you in advance! AnD

BMW
  • 34,279
  • 9
  • 81
  • 95
AnD
  • 2,754
  • 8
  • 31
  • 53

1 Answers1

0

You're going to a lot of unnecessary trouble. Instances in VPC still have a private address in addition to their public address (if they have one), and you will be able to use that address in the future for management.

Having separate addresses for http/s and ssh adds nothing significant for security -- it only adds obscurity.

The answer to why it isn't working probably lies in the asymmetric routing of the return traffic. Disabling the IP source/dest check for the instance might make it work; otherwise you probably need some policy routing to make responses leave on the correct interface.

Also, a subnet with a default route pointing to the internet gateway object is by definition not a private subnet. A private subnet uses a NAT instance as its default route, and public addresses don't work on a private subnet.

Why do we need private subnet in VPC?

Community
  • 1
  • 1
Michael - sqlbot
  • 139,456
  • 21
  • 252
  • 328