AWS Virtual Private Cloud allows several ways of restricting access to devices on the VPC network from the Internet.
1) Place devices into a private subnet (no Internet Gateway). Each device can communicate with other devices using private IP's. No device has a public IP, so no access from the Internet.
2) Place devices into a public subnet. Each device has a public IP, so they can communicate with other internal devices using either private or public IP's. Add Security Groups to restrict access from the Internet.
Questions:
-
Are these two approaches identical from a security perspective?
-
Are there any other considerations to take into account?
Best Answer
There isn't really a difference in terms of security. Both an EC2 instance in a private subnet with an inbound allow all security group and an EC2 instance in a single security group with no rules are inaccessible from the internet.
However an instance in a public subnet is addressable from the internet, in that it has a globally unique IP which people on the internet can attempt to send packets to.
Private subnets give some additional security considerations - they make it clear that the instance is not accessible from the internet. It is also hard to change, whilst the security group approach can be changed by adding an inbound rule. Most importantly though, lots of people consider this approach best practice (regardless of whether it is) so it appeases tick box managers and security audits.
Interesting to the note that IPv4 in AWS always uses NAT, even without a NAT gateway. EC2 instances in the public subnet don't have public ips really -> if you inspect the destination packets they will go to the internal ip. This is because AWS are using NAT behind the scenes.
Personally I think the private subnets provide extra complexity for no extra benefit. If possible I would try and use IPv6 and disregard NAT entirely and just use security groups + application layer security. However IPv6 is poorly supported and many people don't understand NAT properly so use a private subnet unless these aren't issues.