4
votes

AWS beginner here. This question is about AWS VPC NAT instances.

As per the docs "You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet."

But can this not be achieved by using a security group with the outbound rule: "0.0.0.0/0: All traffic" and restricting the inbound rule to receive only from within the VPC?

What am I missing here?

1
Sure it can. Its about fine grain security setup.Antoniossss
I can allow a co-worker to spin up the machines only in the private subnet and then I don't have to worry if they got the SG right.Jakub Kania
I recommend asking this question on security.stackexchange.com .kenlukas

1 Answers

6
votes

But can this not be achieved by using a security group with outbound rule : "0.0.0.0/0: All traffic" and restricting the inbound rule to receive only from within the VPC?

The above is true only if the instances also have a public IP address assigned to them. If they do not have a public IP assigned to them then the NAT gateway/instance is required for Internet access.