官术网_书友最值得收藏!

Private and public subnets

AWS defines two types of subnets that can be created within a VPC network – public and private. By design, the only difference that makes a subnet public rather than private is that instances running in a public network will be able to access the internet by default and also be made public by attaching a public or Elastic IPs to them. The public subnet would also be identified easily as it will have an IGW attached to it and a route for all addresses pointing to the IGW.

We can think of a public subnet as a sort of DMZ in classical network terms. The subnet is hidden from public view via a router (the IGW) with 1:1 DNAT rules attached that map the public or Elastic IPs to the IPs of our instances running in the subnet. 

Private networks are completely cut off from any access to the internet by default, but can communicate with any instances running in all subnets that exist in the VPC. We can also control the traffic between all subnets through the VPC's network access control lists (NACLs) and define rules that will prevent certain subnets from communicating from each other. Private subnets are also able to connect to other networks via a NAT gateway that will allow outbound traffic, as well as through a VPN Gateway or Direct Connect connection that will allow the private subnets to communicate without on-premise systems. 

This holds true for IPv4, but when we're using IPv6, there is no such concept as NAT due to the fact that all IPv6 addresses are global unicast addresses. This means that the only way to allow an IPv6 subnet to communicate with the internet is to attach an IGW to the subnet. All IPv6 addresses in a subnet with an IGW attached are inherently able to access the internet and instantly become accessible from the internet. But what if we want to keep our instances private and still communicate with the internet? For this purpose, AWS has introduced a so-called egress-only gateway that can be used to allow instances with IPv6 addresses to communicate with the internet, but does not allow any traffic into the subnet since ingress traffic is automatically blocked. This is an easy way of making an IPv6 subnet private.

主站蜘蛛池模板: 根河市| 大埔县| 长顺县| 刚察县| 甘洛县| 平顶山市| 芮城县| 边坝县| 兴国县| 万源市| 江山市| 富宁县| 凤城市| 申扎县| 扬州市| 宝兴县| 湟中县| 东乡族自治县| 于都县| 恩施市| 百色市| 西贡区| 镇宁| 泰州市| 武威市| 澜沧| 子长县| 渭源县| 惠东县| 定陶县| 延寿县| 淳安县| 阿瓦提县| 千阳县| 南投市| 宁远县| 上饶县| 通化市| 鄂托克旗| 扬中市| 深圳市|