Why do I need a Nat Gateway for ECS containers using AWSVPC?

Question

So here is a scenario:
I have a route table that routes all traffic to the internet gateway, and I have a subnet associated with that route table, which makes it a public subnet. Now I create another route table and I route all its traffic to a Nat gateway that I created I created in the public subnet abovesubnet. Now I create another subnet in this private route table, and associate that with my ECS containers. So in effect, this is how the traffic is being routed:

But what is wrong with doing this:

Why doesn't associating it with the internet gateway directly work? The first one seems like the same thing but with extra steps. I would really like to know why exactly that is necessary, and what happens "under the hood" in both cases, and what causes the second way to not work.

Kaymaz · Accepted Answer

While this is completely possible, it would mean that your instance would be accessible from the internet. Public subnet means that your instances are accessible directly  from the outside. Private subnet are not accessible from the outside as instances do not have a publicly  routable IP.
In short, security

Why do I need a Nat Gateway for ECS containers using AWSVPC?

One Answer

Add your own answers!

Ask a Question