This article from AWS states that recommended production setup for EKS is a mix of private and public subnets. Unfortunately it does not explain the 'why'. What is wrong with the option 'only public subnets' assuming it has a properly configured security groups? It seems much simpler and cheaper (since we do not need NAT).
CodePudding user response:
This SO seems to actually answer my question:
In particular the question in one of the comments:
What is the advantage of a server on a private subnet with a NAT instance and a a server public subnet with a strict security policy?
and the answer:
it's not really about an advantage. It's about the way networking works, in VPC. All of the instances on a given subnet have to use the same default gateway, which will either be the "Internet gateway" virtual object, which will not do NAT, or it will be a NAT instance, which will not "not do" NAT. Unless all your machines have public IPs, or none of them do, you're going to want both types of subnets. If everything is an Internet-facing web server, sure, you might need only a public subnet, and with correct security configuration, there's no disadvantage.