skip to Main Content

I’m architecting my cloud environment and considering all the possible security features and came across this scenario where I need to access an ec2 instance on a private subnet from the internet. If I make this possible then does that defeat the purpose of it being on a private subnet? If not then what is the benefit of this approach?

2

Answers


  1. Accesing EC2 from internet can be achieved by different aproaches and all depends on what’s your exact needs and your goal from access it.

    Private subnet in AWS doesn’t have route to internet throught an Internet gateway so it offers isolation and reduce exposure to external threats, so your EC2 is only accessible from your VPC.

    If your access is juste for administration purposes / tasks you can accees it without expose it via different methods :

    • A jump box or a bastion host, I’m not fan of this as it will expose another EC2 with public IP.
    • VPN or Direct connect if you have it, you can still connect with private IP of the EC2.
    • AWS System Manager allows you to manage your EC2 without exposing it.
    • Cloud9 that’s my alternative of bastion hosts.

    But if your need to expose your EC2 for public users you should consider other options like :

    • Move it to a public subnet so your other private resources are still isolated if your EC2 get compromised.
    • Expose it via an ELB in a public subnet so it remains private / isolated and secure the acceess just from your ELB and you can add a AWS Firewall to it.

    So, No, accessing a private EC2 instance in a private subnet from the internet doesn’t defeat the purpose, as long as it’s done correctly. The key security principle is that the private instance is not directly exposed to the internet.

    Login or Signup to reply.
  2. If I make this possible then does that defeat the purpose of it being on a private subnet?

    It might defeat the purpose for other resources created in private subnet.
    Consider that by using EC2, one can run any commands or request EC2 metadata. Using terminal (linux based EC2), one can create/update/list other AWS resources based on EC2 instance role.

    what is the benefit of this approach?

    Quick setup and less work for deployment.
    Can save cost on creation of other resources – load balancers, etc.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search