官术网_书友最值得收藏!

Private and public subnets

AWS defines two types of subnets that can be created within a VPC network – public and private. By design, the only difference that makes a subnet public rather than private is that instances running in a public network will be able to access the internet by default and also be made public by attaching a public or Elastic IPs to them. The public subnet would also be identified easily as it will have an IGW attached to it and a route for all addresses pointing to the IGW.

We can think of a public subnet as a sort of DMZ in classical network terms. The subnet is hidden from public view via a router (the IGW) with 1:1 DNAT rules attached that map the public or Elastic IPs to the IPs of our instances running in the subnet. 

Private networks are completely cut off from any access to the internet by default, but can communicate with any instances running in all subnets that exist in the VPC. We can also control the traffic between all subnets through the VPC's network access control lists (NACLs) and define rules that will prevent certain subnets from communicating from each other. Private subnets are also able to connect to other networks via a NAT gateway that will allow outbound traffic, as well as through a VPN Gateway or Direct Connect connection that will allow the private subnets to communicate without on-premise systems. 

This holds true for IPv4, but when we're using IPv6, there is no such concept as NAT due to the fact that all IPv6 addresses are global unicast addresses. This means that the only way to allow an IPv6 subnet to communicate with the internet is to attach an IGW to the subnet. All IPv6 addresses in a subnet with an IGW attached are inherently able to access the internet and instantly become accessible from the internet. But what if we want to keep our instances private and still communicate with the internet? For this purpose, AWS has introduced a so-called egress-only gateway that can be used to allow instances with IPv6 addresses to communicate with the internet, but does not allow any traffic into the subnet since ingress traffic is automatically blocked. This is an easy way of making an IPv6 subnet private.

主站蜘蛛池模板: 绍兴市| 沁源县| 巴中市| 常山县| 穆棱市| 晋江市| 娄烦县| 宾阳县| 武隆县| 郎溪县| 富宁县| 盘锦市| 和林格尔县| 曲阳县| 怀来县| 厦门市| 普兰县| 潞城市| 武城县| 庆阳市| 青冈县| 长宁区| 甘孜| 柯坪县| 子长县| 平远县| 驻马店市| 竹北市| 博野县| 怀远县| 报价| 垫江县| 甘德县| 长岛县| 来安县| 碌曲县| 双柏县| 柳林县| 合山市| 彩票| 九寨沟县|