Hi I have a question about subnets in our architecture.
Why the subnets are public here ?
The only public endpoints seems the ALB one, is it ?
Are there some tech reasons I am not able to get ?
Thx
Stefano
1 Like
Hi @campa.
Although the EC2 instances are hosted in a public subnet, that doesn’t mean they are publicly reachable. We added a security group to ensure that those instances can receive traffic only from the ALB, making the ALB the only public endpoint, as you pointed out.
When we work with an architecture/infrastructure design, there are no correct answers, and each possible solution involves some trade-off. You can put those EC2 instances under private networks, but you will need to add other resources (such as a NAT gateway), making the infrastructure more complicated. Given that, we wanted to make the traffic routing as smooth as possible between the ALB and the EC2 instances, and that’s why we placed those instances in public subnets but also made sure that the ALB is the only exposed point to reach the instances.
Hope that makes sense.
1 Like