job.answiz.com
  • 4
Votes
name

When I launch a server with a security group that allows all traffic into my private subnet, it displays a warning that it may be open to the world.

If it is a private subnet, how can that be?

I will try to answer this from AWS perspective. With in a VPC, you can have Public and Private subnets.

Instances in Public subnet would be reachable from internet; which means traffic from internet can hit a machine in Public Subnet. You normally keep things like WEb Server in Public Subnet.

Instances in Private Subnet would not be reachable from internet. E.g. you can put Database Server in Private subnet and no one can access it from internet. It would be accessible only via Instances in Public subnet (Web server). There is a simple video which explains how to set it up on AWS -

  • 2
Reply Report

The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. We recommend this scenario if you want to run a public-facing web application, while maintaining back-end servers that aren't publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.

The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot establish connections to the database servers.

  • 2
Reply Report

The main difference is the route for 0.0.0.0/0 in the associated route table.

A private subnet sets that route to a NAT instance. Private subnet instances only need a private ip and internet traffic is routed through the NAT in the public subnet. You could also have no route to 0.0.0.0/0 to make it a truly private subnet with no internet access in or out.

A public subnet routes 0.0.0.0/0 through an Internet Gateway (igw). Instances in a public subnet require public IPs to talk to the internet.

The warning appears even for private subnets, but the instance is only accessible inside your vpc.

  • 4
Reply Report