I'm setting up an MQ broker in an AWS environment.
The MQ broker will be used by both services running in that AWS environment as well as services running in other locations.
All other services deployed in the AWS environment run in private subnets, so I'm leaning towards deploying the MQ broker in a private subnet and set up a network load balancer to pass external traffic to the MQ broker.
However, for practical purposes I could also just deploy the MQ broker to a public subnet. That way, I would be able to expose the broker to the public internet by just configuring a security group (and skip the network load balancer).
I'm leaning towards a private subnet deployment, but I not entirely sure if the added configuration overhead (network load balancer) gives any real benefit.
What is the benefit of doing a private subnet deployment of the MQ broker?
My opinion is given you would have a security group the only allows specific IPs access to your MQ, there's little benefit adding a network load balancer.
If it was on the public internet, the benefits of the NLB are still fairly small. It might mitigate a small number of attack types. An application balancer, which is not applicable in this scenario, mitigates a wider range of attacks.
In a higher security environment VPNs would provide more security, it ensures only known and trusted users can reach the resources. When using a security group IP addresses can be spoofed - though I don't know how practical that is.