AWS Security Groups vs Private Subnets

We are hosting Elasticsearch on EC2 instances, but are a bit unsure whether we should go for using a completely private subnet for our Elasticsearch cluster or just use a security group.

Can anyone weigh in on this?

I was told that "best practice" is to use a private subnet because we don't want anyone accessing Elasticsearch from the outside, but that causes other issues like needing to use workarounds like bastion instances to allow SSHing into them and creating a NAT instance to allow us to connect to the internet to install updates and things. That seems like a lot of overhead, and I am not seeing the security benefit to that as opposed to a simple Security Group that just disallows all traffic from anywhere other than the API server we created in front of our cluster.

It depends a lot on who has access, and who is able to configure these things. Assuming case b) public subnets + security groups, this means it is down to the person setting up/maintaining the servers to remember every time to lock down the security group. Using a private subnet means that an administrator with VPC permissions can restrict access to ALL EC2s within the subnet, then even if someone set up an EC2 with allowed, the traffic would still be blocked on a network layer.

Personally, I think that the hassle of using public subnets, nat instances, bastion hosts etc is not worth the benefits it provides. But of course your use case will differ :slight_smile: .

1 Like

Gotcha, thanks! If anyone else wants to weigh in on this I would love to hear more input.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.