Security - Building a Modular and Scalable Virtual Network Architecture with Amazon VPC


Public and Private Subnets

This Quick Start provisions one public and one private subnet in each Availability Zone by default. You can also choose to add additional private subnets with dedicated network ACLs.

A public subnet is directly routable to the Internet via a route in the route table that points to the Internet gateway. This type of subnet allows the use of Elastic IPs and public IPs, and (if the security group and network ACLs permit) a public subnet is reachable from the Internet. A public subnet is useful as a DMZ infrastructure for web servers and for Internet-facing Elastic Load Balancing (ELB) load balancers.

Private subnets can indirectly route to the Internet via a NAT instance or NAT gateway. These NAT devices reside in a public subnet in order to route directly to the Internet. Instances in a private subnet are not externally reachable from outside the Amazon VPC, regardless of whether they have a public or Elastic IP address attached. A private subnet is useful for application servers and databases.

Using Security Groups and Network ACLs

The following table (reprinted here from the AWS documentation for convenience) describes the differences between security groups and network ACLs:

Security group Network ACL
Operates at the instance level (first layer of defense) Operates at the subnet level (second layer of defense)
Supports allow rules only Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rules Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow traffic We process rules in numerical order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group)

The network ACLs in this Quick Start are configured as follows:

  • All public and private subnets are associated with the same default network ACL, which is automatically created for all VPCs on AWS. This network ACL allows all inbound and outbound traffic. As you deploy instances and services, you should associate them with security groups and allow only the traffic and ports needed for your application.

  • Each additional private subnet is associated with a custom network ACL (1:1 ratio). These network ACLs are initially configured to allow all inbound and outbound traffic to facilitate the deployment of additional instances and services. As with the other subnets, you should use security groups to secure the environment internally, and you can lock down the custom network ACLs during or after deployment as required by your application.

If the Quick Start deploys NAT instances instead of NAT gateways in the AWS Region you selected, it adds a single security group as a virtual firewall. This security group is required for NAT instances and any other instances in the private subnets to access the Internet. The security group is configured as follows:


Source Protocol Ports


Destination Protocol Ports All All

For additional details, see Security in Your VPC in the Amazon VPC documentation.