0

I want to have grafana in a docker container within ec2. This will recieve traffic from Influxdb, also hosted in docker container, seperate ec2. I want to know if these should be hosted in a private or public subnet within my VPC. If i am needing to access the UI, I will need internet access (via Load Balancer to gateway in private subnet OR open port in public subnet to the local network via security goup). I don't understand how putting it in the private subnet is more secure when using a load balancer to internet gateway/nat gateway than just hosting and securing the open inbound ports in public subnet.

I have tried both instances, but I am just confused about which is more secure/cost effective/effienct. I also want to increase availability, so I will add ebs/mult avail zones.

Amber B
  • 1

1 Answers1

0

If you use a private subnet you'll need to have some way to connect that private subnet to the public internet. The way to do that in AWS is a NAT gateway. NAT gateway are notoriously expensive in AWS for both small projects and very large projects due to combination of an hourly fee for running the NAT gateway (which is a lot of money when you are building a tiny project) and a data transfer fee (which is a lot of money when you have a lot of traffic).

Using a public subnet is less secure because any unsecured ports on your EC2 instances will be open to the internet.

In my personal opinion, AWS seems to push for private subnets with NAT gateways because of the security benefits. However, as long as you properly secure your instances and all other resources running in the public subnet by using restrictive security groups, you should be OK with using a public subnet for most applications. Avoiding a NAT gateway will save you lots of money and removing one step from the process should also help application performance.

Gregory Ledray
  • 989
  • 7
  • 19