Reputation: 142
When should I create different VPCs and not just different subnets?
I assume that I'm working on a single project.
Creating differents subnets and securing them with NACLs is easier than creating different VPCs.
Besides, if you have 2 VPCs you probably need to connect to them via VPN... so you'll need 2 VPNs connections or 1 VPN + Transit Gateway.
My question is:
If I'm working on a single project, when is it really interesting to create more than one VPC ?
Upvotes: 3
Views: 3332
Answers (1)
Reputation: 35146
There are many reasons you might want to use separate VPCs, ultimately its your discretion as to whether you go through with them.
Multiple environments
If you have multiple environments e.g. dev, UAT, production then by sharing the same VPC there is a risk of utilisation of resources in the incorrect environments or even granting access to a production database to a non-production resource.
Whilst it might not be intentional that access is granted if it is you might have no production code touching these resources, or could have production resources speak to non-production resources.
By keeping them separate you can guarantee no cross-environment communication. This could go a step further by splitting your environments into multiple accounts.
Compliance
If you have a compliance based requirement such as PCI-DSS or HIPAA you may want to look at running a VPC just for resources that will be running the part of the application stack accessing this sensitive data.
This VPC can have enhanced security to prevent ingress into any of these resources, including granting access to only a limited number of team members as opposed to a wider team.
Project across multiple applications
You may have a project that is split across multiple applications for example, a frontend layer that communicates with a backend API. To prevent the frontend directly communicating with the database, the project could be split into 2 VPCs.
Then rather than directly consuming resources from the other VPC via VPC peering, utilising functionality like VPC Endpoints to speak to your backend application prevents the frontend ever having access to the full VPC.
Summary
In summary it's about creating boundaries to protect your data and enforcing stricter application to application communication.
It will add an overhead to your managing of your VPCs, but with services such as AWS Config you will be able to enforce a stricter set of rules where its required.
Upvotes: 5
Related Questions
- Why do we need private subnet in VPC?
- Multiple private subnets?
- AWS VPC vs Subnet for Application Wrapping
- AWS VPC per environment, or single VPC with multiple subnets for different environments?
- aws vpc subnet design
- Why I should configure a AWS ECS Service with two or more Subnets?
- When to use Public Subnet vs Private Subnet?
- What are AWS VPC Subnet zoning best practices?
- Private subnets options in AWS
- When to create multiple VPCs?