1

In case of we have proper security groups and private/public subnets,
is there any security benefit on separating AWS private subnet?

For example, I have 1 ELB(public subnet) and 2 EC2(Frontend and Backend in the same private subnet).
ELB -> Frontend -> Backend network security is properly secured by security groups.

At this point, is there any security advantage on separating subnets between Frontend and Backend?

Before: ELB(Public subnet) -> EC2(Frontend, Private subnet A) -> EC2(Backend, Private subnet A)
After: ELB(Public subnet) -> EC2(Frontend, Private subnet A) -> EC2(Backend, Private subnet B)

jwagun
  • 21

1 Answers1

1

Firstly is it required by the any form of security compliance? If so the buck stops there and you have no choice but to fulfill the requirements on what the papers and/or your boss commands.

In general practices though it's really depends on if it the additional inconveniences incurred.

Personally as long as it's your OWN VLAN and the provider isn't shoving everyone onto a shared network where everyone who got a AWS instance can connect to it as it were to be more or less the internet at their scales. Then I would think it suffice to have one private and one public.

Unless of course the application vendor recommend exotic configurations or something that a segregation of such is just easier than making some exceptions to the existing infrastructure.

Rickuku
  • 344
  • 1
    I know I have no choice, but I want to know the security side advantage. You mean there's no other security advantage, but only fulfill the requirements and make no exceptions on the configuration. Right? – jwagun Jan 03 '21 at 23:54
  • 1
    That is indeed correct as far as I am able to be aware of. Except in cases where you would need X configurations for A Internal Network and Y configurations for B Internal network. – Rickuku Jan 04 '21 at 00:44