HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

Why do I need a Nat Gateway for ECS containers using AWSVPC?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
whygatewayneedecsawsvpcforusingcontainersnat

Problem

So here is a scenario:

I have a route table that routes all traffic to the internet gateway, and I have a subnet associated with that route table, which makes it a public subnet. Now I create another route table and I route all its traffic to a Nat gateway that I created I created in the public subnet abovesubnet. Now I create another subnet in this private route table, and associate that with my ECS containers. So in effect, this is how the traffic is being routed:

But what is wrong with doing this:

Why doesn't associating it with the internet gateway directly work? The first one seems like the same thing but with extra steps. I would really like to know why exactly that is necessary, and what happens "under the hood" in both cases, and what causes the second way to not work.

Solution

While this is completely possible, it would mean that your instance would be accessible from the internet. Public subnet means that your instances are accessible directly from the outside. Private subnet are not accessible from the outside as instances do not have a publicly routable IP.

In short, security

Context

StackExchange DevOps Q#12015, answer score: 3

Revisions (0)

No revisions yet.