When to use Public Subnet vs Private Subnet?

Question

I have one web application that i want to open to the world. shall i simply create public subnet and add this instance to it OR shall i create private subnet, NAT, Load balancer and add this instance to it?

I want this application only accessible to certain IPs.

which way do you recommend and why? which is safest way and cost effective too?

Answer 1

If you only have one instance:

• There is no need for a Load Balancer, since no traffic needs to be balanced
• There is no need for a Private Subnet, but it needs to be publicly accessible
• Use a Security Group to restrict access to the minimum ports that should be accessible (eg port 80, 443) and also the ability to login (but restrict that to only your IP address)

If you have multiple instances, it would then require a Load Balancer. In this situation:

• Put the Load Balancer in a public subnet
• Put the instances in a private subnet for additional security

However, you could actually keep everything in a public subnet and merely use Security Groups to control access. The normal goal with security is that multiple layers of security make things safer. However, the design choice is up to you.

Answer 2

I will recommend instance in private subnet and as this is the safe approach is to launch an instance in private subnet and place LB on the top of your instance.

• The big advantage of this approach is your instance secure and will not accessible form the public.

A high-level look or general example with private instance can be

To access your private instance, you should have a one instance in public subnet from which you can access the instance, normally AWS called it bastion.

securing-your-vpc-using-public-and-private-subnets-with-network-acl