官术网_书友最值得收藏!

Private and public subnets

AWS defines two types of subnets that can be created within a VPC network – public and private. By design, the only difference that makes a subnet public rather than private is that instances running in a public network will be able to access the internet by default and also be made public by attaching a public or Elastic IPs to them. The public subnet would also be identified easily as it will have an IGW attached to it and a route for all addresses pointing to the IGW.

We can think of a public subnet as a sort of DMZ in classical network terms. The subnet is hidden from public view via a router (the IGW) with 1:1 DNAT rules attached that map the public or Elastic IPs to the IPs of our instances running in the subnet. 

Private networks are completely cut off from any access to the internet by default, but can communicate with any instances running in all subnets that exist in the VPC. We can also control the traffic between all subnets through the VPC's network access control lists (NACLs) and define rules that will prevent certain subnets from communicating from each other. Private subnets are also able to connect to other networks via a NAT gateway that will allow outbound traffic, as well as through a VPN Gateway or Direct Connect connection that will allow the private subnets to communicate without on-premise systems. 

This holds true for IPv4, but when we're using IPv6, there is no such concept as NAT due to the fact that all IPv6 addresses are global unicast addresses. This means that the only way to allow an IPv6 subnet to communicate with the internet is to attach an IGW to the subnet. All IPv6 addresses in a subnet with an IGW attached are inherently able to access the internet and instantly become accessible from the internet. But what if we want to keep our instances private and still communicate with the internet? For this purpose, AWS has introduced a so-called egress-only gateway that can be used to allow instances with IPv6 addresses to communicate with the internet, but does not allow any traffic into the subnet since ingress traffic is automatically blocked. This is an easy way of making an IPv6 subnet private.

主站蜘蛛池模板: 维西| 浪卡子县| 沅陵县| 墨玉县| 班玛县| 蒙自县| 益阳市| 兰考县| 宁安市| 鲁山县| 沙雅县| 宾川县| 禹城市| 维西| 平江县| 红原县| 巴马| 宜州市| 乌兰浩特市| 曲松县| 宁阳县| 乐至县| 白朗县| 昭苏县| 凤山县| 镇安县| 中方县| 广元市| 民丰县| 阜康市| 陈巴尔虎旗| 永登县| 石家庄市| 西丰县| 克东县| 灵宝市| 忻城县| 清丰县| 图们市| 阜平县| 子洲县|