6

I have a VPC created according to scenario 2: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

When creating an instance in the public subnet, I'm given the choice of:

1- Not associating a public IP to the instance

2- Associating a public IP that can change when the instance is restarted

3- Associating an Elastic IP

My question is: what is the difference, security-wise, between creating an instance in the public subnet but without a public IP (option 1) and creating the instance in the private subnet? I know that private instances are behind a NAT, but does this really add a relevant layer of security? Wouldn't I be as protected with a public instance without a public IP belonging to a sound security group?

John Rotenstein
  • 165,783
  • 13
  • 223
  • 298
Eduardo Javier Huerta Yero
  • 243
  • 3
  • 10

1 Answers1

6

Check out this answer about the difference between private and public subnets in AWS.

In short, the distinction is at the networking layer with the resulting security posture being similar. The instance on the public subnet without a publicly routable address will not be able to receive inbound connections nor make outbound connections without an attached EIP address -- even if the security group would otherwise allow it. (So, for example, you'd have to attach an EIP just to SSH into the instance.) In effect, it's a blanket block whereas the NAT allows you to fine tune access like you would normally expect.

You can also read more about instance addressing in the AWS User Guide.

Community
  • 1
  • 1
kurttheviking
  • 598
  • 1
  • 7
  • 21