AWS ‐ Best Practices - FullstackCodingGuy/Developer-Fundamentals GitHub Wiki

When designing secure, scalable cloud architectures, it's important to separate public-facing resources from private, internal resources. AWS uses Public Subnets and Private Subnets to achieve this.

1️⃣ Security

• Public Subnet: Hosts resources that need internet access (e.g., a web server).
• Private Subnet: Keeps sensitive resources isolated (e.g., databases, backend services).

2️⃣ Best Practice

• AWS recommends placing databases and internal apps in private subnets for security.
• Only expose what’s necessary via Load Balancers or API Gateways in a public subnet.

3️⃣ Outbound Internet Access (for Private Subnet)

• Private subnets cannot access the internet directly.
• To download packages (e.g., npm modules in Lambda), you need a NAT Gateway in a Public Subnet.

VPC (10.0.0.0/16)
│
├── Public Subnet (10.0.1.0/24)  
│   ├── NAT Gateway (for outbound access)
│   ├── API Gateway / ALB (for external requests)
│
├── Private Subnet (10.0.2.0/24)  
│   ├── Lambda Function  
│   ├── DocumentDB  
│   ├── RDS Database  
│  
└── Internet Gateway (for public access)

1. User → API Gateway → Lambda (in Private Subnet) → DocumentDB
2. Lambda (in Private Subnet) → NAT Gateway (in Public Subnet) → Internet (for updates)

🚀 NO!

• Lambda needs to be inside a Private Subnet to connect to DocumentDB.
• But if Lambda needs internet access (e.g., fetching dependencies), then a NAT Gateway in a Public Subnet is needed.

• Public Subnet → For internet-facing resources (APIs, ALB, NAT Gateway).
• Private Subnet → For secure backend resources (Databases, internal services).
• Use a NAT Gateway in a Public Subnet if private resources need outbound internet access.

• Best Practices using Amazon DocumentDB open source tools and utilities - AWS Online Tech Talks