What are the security dangers of using Security Groups instead of NAT Gateways for isolating AWS RDS databases from public access?

Question

As I have learned, there are two main ways of isolating resources in AWS VPC

1. One through public/private subnet separation using NAT Gateways to route communications between resources (e.g. public web servers) in the public subnets and resources in the private subnets (e.g. Aurora RDS instances)

2. On the other hand, one could just have public subnets and all resources that should not be reachable from internet should not have public IPs and be inside Security Groups, which should only allow other resources in the public subnets to stablish connections with them

As I understand, both approaches attain the goal of impeding Internet connecting with private resources, but while NAT Gateways are quite expensive, Security Groups are available for free

So my question is, what are the security pros and cons between both approaches? Given that NAT Gateways seem to be much more popular for this purpose and Security Groups much simpler and cheaper, I would expect the former to have some kind of stronger security warranty

Until now the only "advantage" I have heard of is the possibility of forgetting the proper use of Security Groups, which I believe should not happen if one applies programming best practices to deploying infrastructure as code (e.g. Terraform, Cloudformation)

Answer 1

One through public/private subnet separation using NAT Gateways to route communications between resources (e.g. public web servers) in the public subnets and resources in the private subnets (e.g. Aurora RDS instances)

^^^This approach is recommended by AWS, as it minimizes the attack surface by keeping the DB instances in a dedicated subnet and additionally host level access is controlled using Security Groups.

one could just have public subnets and all resources that should not be reachable from internet should not have public IPs and be inside Security Groups, which should only allow other resources in the public subnets to stablish connections with them

^^^This approach does not enable the same behavior as the public/Private subnet design.

For instances present in a public subnet, you may use security groups to control host level access. However, a public subnet is "public" due to the presence of an Internet Gateway and an appropriate route entry in the subnet's route table. For instances in a public subnet to connect to Internet, a public IP must be assigned to them.

In your case, not assigning a public IP to a Database Instance in a public subnet would make it inaccessible over the Internet but it would also mean that the instance would not be able to access the Internet. A NAT Gateway/Instance solves this problem by allowing instances in the private subnet to access the Internet, without needing a public IP address.

Answer 2

You should consider both approaches, the NACLs are at the network layer and can help you to reduce attack traffic in some cases before hitting the instance. The Security Groups are managed at the instance level (like a user Firewall). If you are just playing with AWS, probably the security groups are enough but if you want to do more complex scenarios the best option is a combination of SG and NACL (from my point of view).

Answer 3

Nat Gateway's allow instances in Private Subnets to access the internet -- but they do not provide access from the internet to your instances.

If your instances need to be accessed from the internet, you need to place them in a public subnet.

Typically, you'd place your Webserver on the public subnet, and then your webserver has access to the Database server. You would use the subnet NACL and instance security group to protect your webserver, and utilize the subnet isolation to protect the RDS.

If you have an application server that sits behind the webserver -- you can place those in a private subnet, and utilize the NAT Gateway to allow the application server to access the internet. Again, this application server won't be accessible from the internet, but it can access the internet (to download updates etc).

If nothing on your private subnets need internet access, you probably don't want the NAT Gateway, as they're pretty expensive.