Reputation: 61
In AWS, why do we keep RDS instance in Private subnet?
We need ID/PW to login and access RDS instance, then why do we keep it in Private subnet? What's the harm in putting RDS in public subnet, as anyway the RDS instance is password protected?
Upvotes: 3
Views: 1610
Answers (1)
Reputation: 35258
In your network you generally want to keep as many resources as possible outside of public scope.
If you put your RDS instance in a public subnet this makes it possible for traffic to route over the public internet and connect to your RDS instance. Even if it is password protected this is one method of preventing access, however if you want to keep this database secure you should take as many steps as possible to minimise inbound traffic.
It is best practice to keep any resources you do not want the public internet to access in a private subnet, using either a VPN or Direct Connect to connect to this host. Alternatively you could use a bastion host although be aware that again would be a public host. In addition to increase the security ensure the RDS instance is internal only and has strict security groups.
Upvotes: 1
Related Questions
- Why do we need private subnet in VPC?
- Why do AWS recommend public and private subnets with a nat gateway?
- Why does an AWS RDS subnet group require multiple availability zones?
- What makes a subnet as private in aws
- Why I should configure a AWS ECS Service with two or more Subnets?
- Why AWS Lambda suggests to set up two subnets if VPC is configured?
- why is rds in 3 subnets in aws
- AWS RDS "Publicly Accessible = No" vs instance in private subnet
- When to use Public Subnet vs Private Subnet?
- What are the reasons to use private subnet in aws vpc?