What are the reasons to use private subnet in aws vpc?

Question

I am trying to evaluate private and public subnets while creating a new VPC. Is seclusion from inbound traffic from internet the only reason to go ahead with a private subnet? These points also need to be taken into account when considering the private subnet.

1. NAT Gateway is chargeable - 0.045$/hour and 0.045$ for per GB of data transferred. So there is cost consideration. I would need NAT gateway for pulling code or updates from internet.
2. I should be able to secure instances in my public subnets by using security groups with different levels of strictness.
3. When launching an instance I would assign a public ip to only those instances which I want to access from outside the VPC.

I went through this question but it didn't solve my doubts with respect to above points. Any help is appreciated.

Answer 1

To answer your questions:

1. Use NAT instance (t2.small or m3.medium) instead of NAT gateway. Far cheaper.
2. Why launch them in public subnet and then tweak the security group if there is no need to accept the incoming internet traffic. There is always a chance to make a mistake in SG rules and allow malicious traffic unintentionally. Even if you want to accept internet traffic, I suggest using a reverse proxy like haproxy
3. Then launch only those instances in public subnet or use a reverse proxy

The private subnet is an extremely useful feature to protect your instances from DDoS, unauthorized access etc., Do not bypass it for the sake of convenience.

Answer 2

From 7 Security Measures to Protect Your Servers:

Isolated Execution Environments

How Do They Enhance Security?

Isolating your processes into individual execution environments increases your ability to isolate any security problems that may arise. Similar to how bulkheads and compartments can help contain hull breaches in ships, separating your individual components can limit the access that an intruder has to other pieces of your infrastructure.

So, IMHO, do you need private subnets? Depends. In a production environment with public and private services, VPN, databases, etc., yes; but if you have only one server, and you don't want to deal with the configuration of network ACLs, routing, NAT, and so on, maybe a public subnet with your server and a well configured security group could be enough.