I have a VPC created according to scenario 2: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
When creating an instance in the public subnet, I'm given the choice of:
1- Not associating a public IP to the instance
2- Associating a public IP that can change when the instance is restarted
3- Associating an Elastic IP
My question is: what is the difference, security-wise, between creating an instance in the public subnet but without a public IP (option 1) and creating the instance in the private subnet? I know that private instances are behind a NAT, but does this really add a relevant layer of security? Wouldn't I be as protected with a public instance without a public IP belonging to a sound security group?