WKLD.10 – Deploy private resources into private subnets

Deploy resources that don’t require direct internet access, such as EC2 instances, databases, queues, caching, or other infrastructure, into a VPC private subnet. Private subnets don’t have a route declared in their route table to an attached internet gateway and cannot receive internet traffic. Traffic originating from a private subnet that is destined for the internet must undergo network address translation (NAT) through either a managed AWS NAT Gateway or an EC2 instance running NAT processes in a public subnet. For more information about network isolation, see Infrastructure security in Amazon VPC (Amazon VPC documentation).

Use the following practices when creating private resources and subnets:

When creating a private subnet, disable auto-assign public IPv4 address.
When creating private EC2 instances, disable Auto-assign Public IP. This prevents a public IP from being assigned if the instance is unintentionally deployed into a public subnet via misconfiguration.

You specify the subnet for a resource as part of its configuration, when required. You can deploy a VPC that follows best practices using the Modular and Scalable VPC Architecture Quick Start (AWS Quick Starts).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

WKLD.09 – Encrypt Amazon RDS databases

WKLD.11 – Use security groups to restrict access