I’m architecting my cloud environment and considering all the possible security features and came across this scenario where I need to access an ec2 instance on a private subnet from the internet. If I make this possible then does that defeat the purpose of it being on a private subnet? If not then what is the benefit of this approach?
Question posted in Amazon Web Sevices
The official Amazon Web Services documentation can be found here.
The official Amazon Web Services documentation can be found here.
2
Answers
Accesing EC2 from internet can be achieved by different aproaches and all depends on what’s your exact needs and your goal from access it.
Private subnet in AWS doesn’t have route to internet throught an Internet gateway so it offers isolation and reduce exposure to external threats, so your EC2 is only accessible from your VPC.
If your access is juste for administration purposes / tasks you can accees it without expose it via different methods :
But if your need to expose your EC2 for public users you should consider other options like :
So, No, accessing a private EC2 instance in a private subnet from the internet doesn’t defeat the purpose, as long as it’s done correctly. The key security principle is that the private instance is not directly exposed to the internet.
It might defeat the purpose for other resources created in private subnet.
Consider that by using EC2, one can run any commands or request EC2 metadata. Using terminal (linux based EC2), one can create/update/list other AWS resources based on EC2 instance role.
Quick setup and less work for deployment.
Can save cost on creation of other resources – load balancers, etc.