- Newest
- Most votes
- Most comments
First thing first, if there is no requirement of having server public facing, those shouldn't be in public subnet.
NAT gateways are primarily and most commonly used for instances in private subnet to have internet access to download patches/softwares/updates, connect to on-prem network etc.
This question should be focused more towards security best practices instead of cost and answer is, have instances in private subnet if they are not required to be served as webserver.
Please refer NAT Gateway Documentation, where it explains the purpose of NAT Gateway and it's types(private and public) and specifically it's use cases.
Lastly to your question on cost, with having an understanding NATGW, if you still think that NATGW are not required then cost would definitely be lesser in second option(have both instances in a public subnet both with their own private and public IPs going through internet gateway)
Is it more cost effective to have both instances with their own private IPs on a private subnet with NAT gateway? Or is it better to have both instances in a public subnet both with their own private and public IPs going through internet gateway?
The direct answer to your question is that it will cost less to have the instances in the public subnet, as you will not have the cost of a NAT Gateway.
This may be a false economy though, as @Abhishek says in his answer if there is no need for a host to directly exposed to the public internet then best practice is to avoid doing so.
I have two free tier EC2 instances
Can I ask how you are going to achieve this? Free tier gives you 750 hours-per-month of a very small instance (t2.micro or t3.micro, depending on region), which is enough to have one instance running 24 hours a day for the entire month. If you have two free tier instances you are going to have to run each instance for only 12 hours every day (and stop the instances for the other 12 hours) otherwise you'll be charged.
Also be aware that you get 30GB of EBS storage per month as part of free tier, which you would have to split between your two instances. Assigning any more will lead to being charged.
Thanks for the reply. I fully agree on the best practice. As for the two free tiers, this is an eval for me to test the waters with AWS. Only one instance is powered on and neither are using the 30 GB EBS. I just spun up a couple debian images which are using just the 8 GB root volume. I'll use EBS later after eval. I mentioned this to Abhishek in my reply but my main goal with AWS is to see if it is worth going full cloud instead of upgrading on-prem hardware and the utility cost that accompanies it. In the end, if I go full cloud, my plan would be: workstation -> on-prem network <-site to site vpn-> vpc private subnet [NAT gateway] -> EC2 instances -> [S3 Endpoint]
Relevant content
- Accepted Answerasked 10 months ago
- asked 5 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
Thanks for the reply. I am experienced with NAT and its intended purpose in security best practice so this was truly a cost analysis question.
I wasn't able to find any documentation on the costs involved with going the public subnet and internet gateway route. For my region, the NAT gateway route would be 0.045 cents an hour and 0.045 cents per gigabyte of transfer which for me would be at minimum $33/month.
This is my first experience with AWS and so I am in an evaluation stage. I was just thinking long term to see if it was worth retiring my on-prem hypervisor. It's nothing production worthy, just a simple home lab with a few VMs. But I am still determining if full cloud is more economical vs upgrading on-prem hardware.
You did mention that the NAT gateway would be necessary for connecting to on-prem network. Since I am planning site to site vpn, it sounds like the NAT gateway option is required.
OK I think I am starting to understand. So per your suggestion, I should just have the two EC2 instances in public subnet and assigned both private and public IPs. And create security groups that block all inbound traffic and allow all outbound traffic, and then have a site to site vpn that connects on-prem to the vpc public subnet. Thus omitting NAT gateway and elastic IP and their cost altogether. Did I get that right? As for the last piece I forgot to mention, the S3 endpoint, does that still work so as to not count as billable egress traffic if the Ec2 instances are in public subnet? One of the EC2 instances will eventually connect to a S3 bucket.
If you'd block all inbound traffic through SG then security patches/software download won't work, when I mentioned that restrict traffic through SG as much as possible, it means, restrict it as much as possible and reduce the possibility of any unwanted attack/exploit of your instances. Only allow that inbound traffic which you know "should be allowed". Since you mentioned that it's not production worthy and you understand that part so it's fine to have instance in public subnet but with caution. Refer subnet security section. Having cost in mind first before security, yes, you got that right(NATGW is not a cost effective way). Second question is interesting, I believe once you add S3 Gateway VPC endpoint as a target in your private subnet route table for traffic destined from your VPC to Amazon S3, traffic won't use IGW and it'd directly communicate through endpoint. Most importantly, there is no cost associated with gateway VPC endpoints. Hope that helps.
PS: For other viewers, who refer this post, this conversation is only centric towards cost but not security. It's always recommended to have instances in private subnet unless they are not required to be in public subnet necessarily.
Site-to-site VPN along with virtual private gateway serves that purpose well enough for connecting to on-premise network and you don't need NATGW specifically for that purpose, though public NATGW gives you ability to connect to on premise network, refer this Document. Here is how to access on-premise network using AWS VPN. Since you mentioned, it's for home lab and nothing production worthy, so definitely you should not go with NATGW, you would anyway have IGW, which is enough for patching etc if you are OK to keep instances in public subnet. But, keep your NACL and security group fairly strict so that your instances don't get compromised.
Lastly, like I mentioned before, NATGW is 95% used because instances can't be in public subnet for security risk, which is not required in your case(as you understand that part), so you can keep instances in public subnet with public and private ips, that would definitely save cost over NATGW route.