AWS RDS "Publicly Accessible = No" vs instance in private subnet

Question

I am creating infrastructure for one of my web application on AWS. That app needs Mysql RDS instance. Now I am wondering that whether I should simply create RDS instance in public subnet and just change its settings to Publicly Accessible=No, or I will have to create this RDS instance in private subnet for better security or something. I am confused that whether any of above option will provide better security than other.

I have also read that simply assigning security group to instance will act as firewall, so I can have publicly accessible=true RDS instance and its security group allowing access only from my application EC2 instance. So basically I have three options mentioned below.

1. Publicly Accessible = True RDS instance in public subnet with security group allowing access only to EC2 application instance.

2. Publicly Accessible = False RDS instance in public subnet.

3. RDS instance in private subnet.

Can anyone explain pros and cons in terms of security for above approaches?

Answer 1

You are correct that Security Groups can provide sufficient protection for your database, and also for Amazon EC2 instances.

So why does AWS provide public/private subnets? It's because many customers want them because that is how enterprises typically organise their network prior to using the cloud. Traditional firewalls only act between subnets, whereas Security Groups apply to each instance individually.

So, if you understand how to correctly configure Security Groups, there is no actual need to use Private Subnets at all! Some people, however, feel more comfortable putting resources in private subnets because it provides an additional layer of security.