Amazon details how use a public + private subnet approach in VPC (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html).
But, bearing in mind that
- Instances don't have to have a public IP address
- You can configure security groups per EC2 instance if you want to
Aren't private subnets redundant?
What I mean is, let's say I create one public subnet. I install my webserves and databases on that subnet.
I then give my webservers external IP addresses (and obviously don't give the DBs EIPs).
Finally, I setup the security group of the databases to only allow incoming connections from the internal subnet, and reject all outgoing traffic.
Isn't this just as good as having the databases in a private subnet?
The whole argument about instances being "private" when they're in a private subnet seems bogus to me. Nothing in VPC subnets are really "on the internet" anyway, due to the virtualised nature of the AWS architecture. It's just whether or not you've configured it so that Amazons public gateways forward packets or not. Right?
I wonder if this is just a psychological thing to give companies a pattern they're familiar with?
Can anyone explain why the private+public model is better?
Thanks!
UPDATE: Yes, I saw the other answer before I posted this. I don't believe the person provided enough information to really get a proper answer. For example, the answers don't explain why this is any better than just using security groups.
