I have a VPC created according to scenario 2: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
When creating an instance in the public subnet, I'm given the choice of:
1- Not associating a public IP to the instance
2- Associating a public IP that can change when the instance is restarted
3- Associating an Elastic IP
My question is: what is the difference, security-wise, between creating an instance in the public subnet but without a public IP (option 1) and creating the instance in the private subnet? I know that private instances are behind a NAT, but does this really add a relevant layer of security? Wouldn't I be as protected with a public instance without a public IP belonging to a sound security group?
Public DNS/IP: It is allocated from a pool of available IP's and it is mandatory to let you connect from anywhere around the globe to your EC2 instance. Private IP: Its allocation is based on vpc/subnet in which EC2 is setup. Every subnet has a range of IP's, out of which one IP gets allocated to the launched EC2.
On the other hand, EC2 instances without public IP addresses are still accessible via their private IPv4 addresses using either your own SSH client or the EC2 Instance Connect CLI. That private connectivity approach is the focus of this blog post.
Instead, in certain cases, we release the public IP address from your instance, or assign it a new one: We release your instance's public IP address when it is stopped, hibernated, or terminated. Your stopped or hibernated instance receives a new public IP address when it is started.
The most common reason for no public IP address for your EC2 instance is that you are launching your EC2 instance using a private subnet. A private subnet means any EC2 instances located in that subnet aren't directly addressable from the public web.
Check out this answer about the difference between private and public subnets in AWS.
In short, the distinction is at the networking layer with the resulting security posture being similar. The instance on the public subnet without a publicly routable address will not be able to receive inbound connections nor make outbound connections without an attached EIP address -- even if the security group would otherwise allow it. (So, for example, you'd have to attach an EIP just to SSH into the instance.) In effect, it's a blanket block whereas the NAT allows you to fine tune access like you would normally expect.
You can also read more about instance addressing in the AWS User Guide.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With