public 个子网上的 Amazon EKS
Amazon EKS on public subnets
来自 AWS 的 This 文章指出,推荐的 EKS 生产设置是私有子网和 public 子网的混合。不幸的是它没有解释'why'。
假设 'only public subnets' 具有正确配置的安全组,选项有什么问题?它看起来更简单也更便宜(因为我们不需要 NAT)。
这个SO似乎真的回答了我的问题:
特别是其中一条评论中的问题:
What is the advantage of a server on a private subnet with a NAT instance and a a server public subnet with a strict security policy?
答案:
it's not really about an advantage. It's about the way networking works, in VPC. All of the instances on a given subnet have to use the same default gateway, which will either be the "Internet gateway" virtual object, which will not do NAT, or it will be a NAT instance, which will not "not do" NAT. Unless all your machines have public IPs, or none of them do, you're going to want both types of subnets. If everything is an Internet-facing web server, sure, you might need only a public subnet, and with correct security configuration, there's no disadvantage.
This 文章指出,推荐的 EKS 生产设置是私有子网和 public 子网的混合。不幸的是它没有解释'why'。 假设 'only public subnets' 具有正确配置的安全组,选项有什么问题?它看起来更简单也更便宜(因为我们不需要 NAT)。
这个SO似乎真的回答了我的问题:
特别是其中一条评论中的问题:
What is the advantage of a server on a private subnet with a NAT instance and a a server public subnet with a strict security policy?
答案:
it's not really about an advantage. It's about the way networking works, in VPC. All of the instances on a given subnet have to use the same default gateway, which will either be the "Internet gateway" virtual object, which will not do NAT, or it will be a NAT instance, which will not "not do" NAT. Unless all your machines have public IPs, or none of them do, you're going to want both types of subnets. If everything is an Internet-facing web server, sure, you might need only a public subnet, and with correct security configuration, there's no disadvantage.