So I have been following some VPC architect guide(s), which encouraged me to zone subnets by layers (instead of simply public/private subnets)
Then I decided I would have these subnets:
- elb-public
- elb-internal
- service
- database
Now I want to forbid anything within the elb-* subnets to reach the database subnet. By default, everything within a VPC can reach each other via the local route in route tables, and AWS doesn't allow the deletion of these routes, which is not my desired behaviour.
In the article I linked above, there's an approach that splits everything to VPCs and connect them with VPC peering, so in other to restrict access between VPCs I can simply don't peer them. But this approach seems a little complicated to me and I wish to find a solution that doesn't require me to split anything to VPCs.
How do I achieve the use-case mentioned?
