NAT gateways – Infrastructure Security – Keeping Your VPC secure

NAT gateways

An IGW serves as the bridge that enables communication between your VPC and the internet, allowing resources with public IP addresses to send and receive traffic. A network address translation (NAT) gateway, on the other hand, is a NAT component that enables resources in private subnets to initiate outbound internet traffic without enabling inbound internet connections to those resources. Unlike direct internet access, which requires public IP addresses for each resource in a public subnet, the NAT gateway uses a single public IP address to manage all outbound traffic. This design means that individual resources in private subnets do not require their own public IP addresses; instead, they utilize the NAT gateway’s public IP for all outbound internet communications.

In essence, the NAT gateway acts as a representative on the internet for private subnet resources, negating the need to assign public IP addresses to these resources directly. This architecture allows for secure internet access, enabling critical updates and service connectivity while maintaining the privacy and security of the subnet’s resources.

Elastic load balancers (ELBs)

ELBs play a crucial role in enhancing application availability and security within VPCs by efficiently distributing incoming network traffic across multiple targets located in various AZs. ELBs should typically be deployed in public subnets and redirect traffic to targets within private subnets, thus eliminating the need for these resources to be directly accessible via the internet. They serve as endpoints for TLS termination, ensuring that all connections from clients are securely encrypted. There are different types of ELBs:

• Application load balancer (ALB): Ideal for managing HTTP/HTTPS traffic, offering advanced request routing capabilities
• Network load balancer (NLB): Optimized for high-performance TCP traffic with ultra-low latency
• Classic load balancer (CLB): Legacy ELB type that should be avoided
• Gateway load balancer (GLB): Facilitates the deployment of third-party virtual appliances such as firewalls and intrusion prevention systems (IPSs)

ELBs are essential for managing application load, ensuring security through TLS termination, and providing scalability. They must be properly configured with security groups and possibly integrated with AWS Shield and AWS WAF to protect against distributed denial of service (DDoS) attacks and web exploits.