1

I am trying to evaluate private and public subnets while creating a new VPC. Is seclusion from inbound traffic from internet the only reason to go ahead with a private subnet? These points also need to be taken into account when considering the private subnet.

  1. NAT Gateway is chargeable - 0.045$/hour and 0.045$ for per GB of data transferred. So there is cost consideration. I would need NAT gateway for pulling code or updates from internet.
  2. I should be able to secure instances in my public subnets by using security groups with different levels of strictness.
  3. When launching an instance I would assign a public ip to only those instances which I want to access from outside the VPC.

I went through this question but it didn't solve my doubts with respect to above points. Any help is appreciated.

shshnk
  • 1,551
  • 12
  • 23
  • I believe [my answer to the question you cited](https://stackoverflow.com/a/22212017/1695906) does address all of those issues. Specifically, without a private subnet and either a NAT instance (cheap) or NAT Gateway (powerful and resilient), there is no mechanism for instances without a public IP address to access the Internet (Download software updates? Access external APIs?) *or to access most AWS services* (e.g. DynamoDB, SQS, SNS). – Michael - sqlbot Dec 21 '16 at 18:12
  • @Michael-sqlbot I have all the respect for the time you took out to write the detailed answer. To be honest I was not aware that instances inside a public subnet but without a public ip can not access the internet without NAT. It makes sense to put these kind of instances in the private subnet. – shshnk Dec 23 '16 at 02:35

2 Answers2

1

From 7 Security Measures to Protect Your Servers:

Isolated Execution Environments

How Do They Enhance Security?

Isolating your processes into individual execution environments increases your ability to isolate any security problems that may arise. Similar to how bulkheads and compartments can help contain hull breaches in ships, separating your individual components can limit the access that an intruder has to other pieces of your infrastructure.

So, IMHO, do you need private subnets? Depends. In a production environment with public and private services, VPN, databases, etc., yes; but if you have only one server, and you don't want to deal with the configuration of network ACLs, routing, NAT, and so on, maybe a public subnet with your server and a well configured security group could be enough.

JonDoe297
  • 1,274
  • 1
  • 11
  • 18
1

To answer your questions:

  1. Use NAT instance (t2.small or m3.medium) instead of NAT gateway. Far cheaper.
  2. Why launch them in public subnet and then tweak the security group if there is no need to accept the incoming internet traffic. There is always a chance to make a mistake in SG rules and allow malicious traffic unintentionally. Even if you want to accept internet traffic, I suggest using a reverse proxy like haproxy
  3. Then launch only those instances in public subnet or use a reverse proxy

The private subnet is an extremely useful feature to protect your instances from DDoS, unauthorized access etc., Do not bypass it for the sake of convenience.

helloV
  • 42,534
  • 4
  • 100
  • 125
  • Thanks for your response. Yes,I can go with non-spot instances which are cheaper a NAT gateway. – shshnk Dec 23 '16 at 02:39