- Newest
- Most votes
- Most comments
Public subnet means that the instances can be directly accessible from the internet with their public IP address (or EIP). There are a lot of bots constantly crawling IP addresses. If they get a response from a server, they know that it could potentially be breached or brute-forced.
I understand the cost consideration of using the NAT Gateway. I would make use of NACL (first) + Security group (second). NACL is setup on the subnet level, protecting all the instances within that subnet. Security group works at the instance level. If you are using Linux you can also look to use IP Tables which is Linux firewall.
So, AWS Batch is the orchestration tool not where batch runs.
Are you referring to the compute pools, if so then as with any workload you would not want those to be in public subnets.
What data costs are you generating?
It may be that VPC Endpoints might be useful in reducing costs.
If all your data is in Dynamo DB or S3 then a gateway load balance endpoint is a about a tenth of the cost.
Other AWS Services would be an interface endpoint for which data processing is about 25% of the cost.
If your data is not in AWS then my preferred method to reduce cost and keep security is an NLB.
Put the NLB in the public subnet with targets as your data source and have your batch use the NLB as it's data source.
This can be secured and is about half the cost of NAT but operates in a similar way in terms of system protection.
Relevant content
- Accepted Answerasked 9 months ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago