In Amazon VPC, the VPC creation wizard allows one to create a single "public subnet" or have the wizard create a "public subnet" and a "private subnet". Initially, the public and private subnet option seemed good for security reasons, allowing webservers to be put in the public subnet and database servers to go in the private subnet.
But I've since learned that EC2 instances in the public subnet are not reachable from the Internet unless you associate an Amazon ElasticIP with the EC2 instance. So it seems with just a single public subnet configuration, one could just opt to not associate an ElasticIP with the database servers and end up with the same sort of security.
Can anyone explain the advantages of a public + private subnet configuration? Are the advantages of this config more to do with auto-scaling, or is it actually less secure to have a single public subnet?
It's a security boundary to have a private subnet that you can control with different security groups from the public subnet. If one of your instances in the public subnet were hacked, it will be that much more difficult to hack into instances in the private subnet if you are not too liberal in your access policies.
As well as the security implications, there is also another aspect that comes into play: If you want to allow instances without Elastic IPs to access the internet, you might need 2 (or more) different subnets.
Paraphrasing the AWS documentation, within a VPC there a three ways to allow instances internet access:
The third option is the interesting one in that the NAT instance has to sit inside a "public" subnet where all outbound traffic is routed to an Internet Gateway, but all other instances have to sit in a "private" subnet where all outbound traffic is routed to the NAT instance.
In short, if you're planning on using a NAT, you need at least 2 subnets.