In AWS, why is an EC2 behind NAT gateway in private zone said to be safer than one in public subnet?












5















I've been running four servers on AWS for a few years. It's for a hobby project. All servers live in the same subnet in the same VPC.



To simplify the management of accounts and permissions, I've decided to use Active Directory. This means installing domain controller(s). Documentation indicates that to use AWS domain controller services, the domain controllers must be in a private subnet of the VPC. Continuing my research into private subnets, a term unfamiliar to me, I learned that EC2s in the private subnet must be behind a NAT gateway -- or at least that's a strong recommendation.



The recommendation to put domain controllers in a private subnet behind a NAT gateway is apparently based on the security benefits provided. This leads to my question: What exactly are those security benefits?



Here's why I ask...



My existing four servers each have a private IP and a routable ("elastic") IP but the firewall prevents anyone from connecting on the latter, unless I create a security rule that allows it. Why would this be any different for domain controllers? I understand that DCs will only be used by servers on my network, and never by random outside parties on the Internet, but wouldn't that simply be the default state of affairs unless I create an inbound security rule to the contrary? What's the point of segregating these DCs on an isolated subnet with their own NAT gateway? It seems to be adding complexity with no real upside. Well, presumably there is an upside and I just don't know what it is, thus my question.



(I'm a hobbyest, not a professional, so if you feel that this question is more suitable for SuperUser, I'll delete and repost there. I just figured since it was server-related this site might be more appropriate.)










share|improve this question




















  • 4





    You might someday mess up the inbound rules and accidentally expose it. That's not possible if you're in a private subnet.

    – ceejayoz
    Jan 27 at 22:00
















5















I've been running four servers on AWS for a few years. It's for a hobby project. All servers live in the same subnet in the same VPC.



To simplify the management of accounts and permissions, I've decided to use Active Directory. This means installing domain controller(s). Documentation indicates that to use AWS domain controller services, the domain controllers must be in a private subnet of the VPC. Continuing my research into private subnets, a term unfamiliar to me, I learned that EC2s in the private subnet must be behind a NAT gateway -- or at least that's a strong recommendation.



The recommendation to put domain controllers in a private subnet behind a NAT gateway is apparently based on the security benefits provided. This leads to my question: What exactly are those security benefits?



Here's why I ask...



My existing four servers each have a private IP and a routable ("elastic") IP but the firewall prevents anyone from connecting on the latter, unless I create a security rule that allows it. Why would this be any different for domain controllers? I understand that DCs will only be used by servers on my network, and never by random outside parties on the Internet, but wouldn't that simply be the default state of affairs unless I create an inbound security rule to the contrary? What's the point of segregating these DCs on an isolated subnet with their own NAT gateway? It seems to be adding complexity with no real upside. Well, presumably there is an upside and I just don't know what it is, thus my question.



(I'm a hobbyest, not a professional, so if you feel that this question is more suitable for SuperUser, I'll delete and repost there. I just figured since it was server-related this site might be more appropriate.)










share|improve this question




















  • 4





    You might someday mess up the inbound rules and accidentally expose it. That's not possible if you're in a private subnet.

    – ceejayoz
    Jan 27 at 22:00














5












5








5








I've been running four servers on AWS for a few years. It's for a hobby project. All servers live in the same subnet in the same VPC.



To simplify the management of accounts and permissions, I've decided to use Active Directory. This means installing domain controller(s). Documentation indicates that to use AWS domain controller services, the domain controllers must be in a private subnet of the VPC. Continuing my research into private subnets, a term unfamiliar to me, I learned that EC2s in the private subnet must be behind a NAT gateway -- or at least that's a strong recommendation.



The recommendation to put domain controllers in a private subnet behind a NAT gateway is apparently based on the security benefits provided. This leads to my question: What exactly are those security benefits?



Here's why I ask...



My existing four servers each have a private IP and a routable ("elastic") IP but the firewall prevents anyone from connecting on the latter, unless I create a security rule that allows it. Why would this be any different for domain controllers? I understand that DCs will only be used by servers on my network, and never by random outside parties on the Internet, but wouldn't that simply be the default state of affairs unless I create an inbound security rule to the contrary? What's the point of segregating these DCs on an isolated subnet with their own NAT gateway? It seems to be adding complexity with no real upside. Well, presumably there is an upside and I just don't know what it is, thus my question.



(I'm a hobbyest, not a professional, so if you feel that this question is more suitable for SuperUser, I'll delete and repost there. I just figured since it was server-related this site might be more appropriate.)










share|improve this question
















I've been running four servers on AWS for a few years. It's for a hobby project. All servers live in the same subnet in the same VPC.



To simplify the management of accounts and permissions, I've decided to use Active Directory. This means installing domain controller(s). Documentation indicates that to use AWS domain controller services, the domain controllers must be in a private subnet of the VPC. Continuing my research into private subnets, a term unfamiliar to me, I learned that EC2s in the private subnet must be behind a NAT gateway -- or at least that's a strong recommendation.



The recommendation to put domain controllers in a private subnet behind a NAT gateway is apparently based on the security benefits provided. This leads to my question: What exactly are those security benefits?



Here's why I ask...



My existing four servers each have a private IP and a routable ("elastic") IP but the firewall prevents anyone from connecting on the latter, unless I create a security rule that allows it. Why would this be any different for domain controllers? I understand that DCs will only be used by servers on my network, and never by random outside parties on the Internet, but wouldn't that simply be the default state of affairs unless I create an inbound security rule to the contrary? What's the point of segregating these DCs on an isolated subnet with their own NAT gateway? It seems to be adding complexity with no real upside. Well, presumably there is an upside and I just don't know what it is, thus my question.



(I'm a hobbyest, not a professional, so if you feel that this question is more suitable for SuperUser, I'll delete and repost there. I just figured since it was server-related this site might be more appropriate.)







amazon-web-services nat domain-controller windows-server-2016






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 27 at 23:05







Festus Martingale

















asked Jan 27 at 21:57









Festus MartingaleFestus Martingale

1285




1285








  • 4





    You might someday mess up the inbound rules and accidentally expose it. That's not possible if you're in a private subnet.

    – ceejayoz
    Jan 27 at 22:00














  • 4





    You might someday mess up the inbound rules and accidentally expose it. That's not possible if you're in a private subnet.

    – ceejayoz
    Jan 27 at 22:00








4




4





You might someday mess up the inbound rules and accidentally expose it. That's not possible if you're in a private subnet.

– ceejayoz
Jan 27 at 22:00





You might someday mess up the inbound rules and accidentally expose it. That's not possible if you're in a private subnet.

– ceejayoz
Jan 27 at 22:00










3 Answers
3






active

oldest

votes


















9














If an instance has a Public / Elastic IP I can directly target it with an attack. Maybe you left some unneeded ports open in the Security Group that I can exploit.



If it doesn’t have a Public / Elastic IP it’s close to invisible to the Internet and I can’t directly target it from outside.



Think of a house - if it’s got door directly on the street your house security depends on the door lock. However if it’s in a section behind a solid wall it’s much harder to even get to the door and try to break the lock. Even if you by mistake leave the door unlocked you should still be pretty secure.



So yes, if everything works as expected then the security of public and private subnets should be similar. But mistakes happen and having your resources in Private subnet gives you an extra layer of protection in such times.



Hope that helps :)






share|improve this answer
























  • Yes, this makes sense, @MLu. Thanks for the explanation. One follow up question: If an EC2 on the public subnet with a routable (elastic) IP is attacked on a port that is not open via a legitimate security rule, will the malicious connection attempts actually hit the TCP/IP stack of the EC2 where they'll be rejected, or does the firewall block the request in such a manner so as the EC2 never even sees the attempts, nor uses any processing resources to reject/drop the packets? Put another way: Can the attacker execute an DOS against the EC2 by attacking ports NOT open by a valid sec rule?

    – Festus Martingale
    Jan 28 at 2:56






  • 1





    @FestusMartingale Security Group blocks the traffic before it gets to your instance. The instance will never see it.

    – MLu
    Jan 28 at 2:59






  • 1





    I believe based on bits and pieces I've read here and there that security groups and NACLs run on the hypervisor, so they don't reach the instance but they do reach the physical server. If you run Shield Advanced the docs say the NACLs can be hosted at the network edge for increased performance rather than the instance.

    – Tim
    Jan 28 at 6:40



















0














In addition to the network considerations, think about service isolation. AD DS + DNS + File Server ideally are the only roles on domain controller hosts. Probably don't want a public web server on the same box as the credentials to your network.



You can make the directory someone else's problem by using a hosted directory service. At the cost of less flexibility and learning opportunity.





Secure networks are possible with a private or public IP. The difference is personal preference of how obvious you want to make the isolation.



Let's look at "private subnet" and "behind a NAT gateway" independently.



Separating an admin subnet from a public facing network subnet makes the boundary between the security zones obvious. At a glance, an IP is either internal or external. You can add AWS network ACLs or a third party firewall between them. (On top of security groups which are associated to instances, not subnets.)



NAT gateway doesn't really add security. Incoming connections are not allowed, but that's also doable with security groups.



NAT does conserve IPv4 addresses. Or, IPv6 with a egress-only Internet gateway uses zero IPv4 addresses.






share|improve this answer































    0














    It's not more secure assuming the firewall rules were created correctly and you only have one server. The reason why you would want a private IP range is because it allows communication between multiple servers to happen securely. Take for example a web server and domain controller. You would want the web server to be able to securely communicate with the domain controller over a private network and you would also want to allow outside access to port 80/443. To accomplish this, would simply port forward port 80 and 443 directly to the www server. This configuration would protect the domain controller traffic by not exposing it to the public network.






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "2"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f951031%2fin-aws-why-is-an-ec2-behind-nat-gateway-in-private-zone-said-to-be-safer-than-o%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      9














      If an instance has a Public / Elastic IP I can directly target it with an attack. Maybe you left some unneeded ports open in the Security Group that I can exploit.



      If it doesn’t have a Public / Elastic IP it’s close to invisible to the Internet and I can’t directly target it from outside.



      Think of a house - if it’s got door directly on the street your house security depends on the door lock. However if it’s in a section behind a solid wall it’s much harder to even get to the door and try to break the lock. Even if you by mistake leave the door unlocked you should still be pretty secure.



      So yes, if everything works as expected then the security of public and private subnets should be similar. But mistakes happen and having your resources in Private subnet gives you an extra layer of protection in such times.



      Hope that helps :)






      share|improve this answer
























      • Yes, this makes sense, @MLu. Thanks for the explanation. One follow up question: If an EC2 on the public subnet with a routable (elastic) IP is attacked on a port that is not open via a legitimate security rule, will the malicious connection attempts actually hit the TCP/IP stack of the EC2 where they'll be rejected, or does the firewall block the request in such a manner so as the EC2 never even sees the attempts, nor uses any processing resources to reject/drop the packets? Put another way: Can the attacker execute an DOS against the EC2 by attacking ports NOT open by a valid sec rule?

        – Festus Martingale
        Jan 28 at 2:56






      • 1





        @FestusMartingale Security Group blocks the traffic before it gets to your instance. The instance will never see it.

        – MLu
        Jan 28 at 2:59






      • 1





        I believe based on bits and pieces I've read here and there that security groups and NACLs run on the hypervisor, so they don't reach the instance but they do reach the physical server. If you run Shield Advanced the docs say the NACLs can be hosted at the network edge for increased performance rather than the instance.

        – Tim
        Jan 28 at 6:40
















      9














      If an instance has a Public / Elastic IP I can directly target it with an attack. Maybe you left some unneeded ports open in the Security Group that I can exploit.



      If it doesn’t have a Public / Elastic IP it’s close to invisible to the Internet and I can’t directly target it from outside.



      Think of a house - if it’s got door directly on the street your house security depends on the door lock. However if it’s in a section behind a solid wall it’s much harder to even get to the door and try to break the lock. Even if you by mistake leave the door unlocked you should still be pretty secure.



      So yes, if everything works as expected then the security of public and private subnets should be similar. But mistakes happen and having your resources in Private subnet gives you an extra layer of protection in such times.



      Hope that helps :)






      share|improve this answer
























      • Yes, this makes sense, @MLu. Thanks for the explanation. One follow up question: If an EC2 on the public subnet with a routable (elastic) IP is attacked on a port that is not open via a legitimate security rule, will the malicious connection attempts actually hit the TCP/IP stack of the EC2 where they'll be rejected, or does the firewall block the request in such a manner so as the EC2 never even sees the attempts, nor uses any processing resources to reject/drop the packets? Put another way: Can the attacker execute an DOS against the EC2 by attacking ports NOT open by a valid sec rule?

        – Festus Martingale
        Jan 28 at 2:56






      • 1





        @FestusMartingale Security Group blocks the traffic before it gets to your instance. The instance will never see it.

        – MLu
        Jan 28 at 2:59






      • 1





        I believe based on bits and pieces I've read here and there that security groups and NACLs run on the hypervisor, so they don't reach the instance but they do reach the physical server. If you run Shield Advanced the docs say the NACLs can be hosted at the network edge for increased performance rather than the instance.

        – Tim
        Jan 28 at 6:40














      9












      9








      9







      If an instance has a Public / Elastic IP I can directly target it with an attack. Maybe you left some unneeded ports open in the Security Group that I can exploit.



      If it doesn’t have a Public / Elastic IP it’s close to invisible to the Internet and I can’t directly target it from outside.



      Think of a house - if it’s got door directly on the street your house security depends on the door lock. However if it’s in a section behind a solid wall it’s much harder to even get to the door and try to break the lock. Even if you by mistake leave the door unlocked you should still be pretty secure.



      So yes, if everything works as expected then the security of public and private subnets should be similar. But mistakes happen and having your resources in Private subnet gives you an extra layer of protection in such times.



      Hope that helps :)






      share|improve this answer













      If an instance has a Public / Elastic IP I can directly target it with an attack. Maybe you left some unneeded ports open in the Security Group that I can exploit.



      If it doesn’t have a Public / Elastic IP it’s close to invisible to the Internet and I can’t directly target it from outside.



      Think of a house - if it’s got door directly on the street your house security depends on the door lock. However if it’s in a section behind a solid wall it’s much harder to even get to the door and try to break the lock. Even if you by mistake leave the door unlocked you should still be pretty secure.



      So yes, if everything works as expected then the security of public and private subnets should be similar. But mistakes happen and having your resources in Private subnet gives you an extra layer of protection in such times.



      Hope that helps :)







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Jan 28 at 1:44









      MLuMLu

      7,62712040




      7,62712040













      • Yes, this makes sense, @MLu. Thanks for the explanation. One follow up question: If an EC2 on the public subnet with a routable (elastic) IP is attacked on a port that is not open via a legitimate security rule, will the malicious connection attempts actually hit the TCP/IP stack of the EC2 where they'll be rejected, or does the firewall block the request in such a manner so as the EC2 never even sees the attempts, nor uses any processing resources to reject/drop the packets? Put another way: Can the attacker execute an DOS against the EC2 by attacking ports NOT open by a valid sec rule?

        – Festus Martingale
        Jan 28 at 2:56






      • 1





        @FestusMartingale Security Group blocks the traffic before it gets to your instance. The instance will never see it.

        – MLu
        Jan 28 at 2:59






      • 1





        I believe based on bits and pieces I've read here and there that security groups and NACLs run on the hypervisor, so they don't reach the instance but they do reach the physical server. If you run Shield Advanced the docs say the NACLs can be hosted at the network edge for increased performance rather than the instance.

        – Tim
        Jan 28 at 6:40



















      • Yes, this makes sense, @MLu. Thanks for the explanation. One follow up question: If an EC2 on the public subnet with a routable (elastic) IP is attacked on a port that is not open via a legitimate security rule, will the malicious connection attempts actually hit the TCP/IP stack of the EC2 where they'll be rejected, or does the firewall block the request in such a manner so as the EC2 never even sees the attempts, nor uses any processing resources to reject/drop the packets? Put another way: Can the attacker execute an DOS against the EC2 by attacking ports NOT open by a valid sec rule?

        – Festus Martingale
        Jan 28 at 2:56






      • 1





        @FestusMartingale Security Group blocks the traffic before it gets to your instance. The instance will never see it.

        – MLu
        Jan 28 at 2:59






      • 1





        I believe based on bits and pieces I've read here and there that security groups and NACLs run on the hypervisor, so they don't reach the instance but they do reach the physical server. If you run Shield Advanced the docs say the NACLs can be hosted at the network edge for increased performance rather than the instance.

        – Tim
        Jan 28 at 6:40

















      Yes, this makes sense, @MLu. Thanks for the explanation. One follow up question: If an EC2 on the public subnet with a routable (elastic) IP is attacked on a port that is not open via a legitimate security rule, will the malicious connection attempts actually hit the TCP/IP stack of the EC2 where they'll be rejected, or does the firewall block the request in such a manner so as the EC2 never even sees the attempts, nor uses any processing resources to reject/drop the packets? Put another way: Can the attacker execute an DOS against the EC2 by attacking ports NOT open by a valid sec rule?

      – Festus Martingale
      Jan 28 at 2:56





      Yes, this makes sense, @MLu. Thanks for the explanation. One follow up question: If an EC2 on the public subnet with a routable (elastic) IP is attacked on a port that is not open via a legitimate security rule, will the malicious connection attempts actually hit the TCP/IP stack of the EC2 where they'll be rejected, or does the firewall block the request in such a manner so as the EC2 never even sees the attempts, nor uses any processing resources to reject/drop the packets? Put another way: Can the attacker execute an DOS against the EC2 by attacking ports NOT open by a valid sec rule?

      – Festus Martingale
      Jan 28 at 2:56




      1




      1





      @FestusMartingale Security Group blocks the traffic before it gets to your instance. The instance will never see it.

      – MLu
      Jan 28 at 2:59





      @FestusMartingale Security Group blocks the traffic before it gets to your instance. The instance will never see it.

      – MLu
      Jan 28 at 2:59




      1




      1





      I believe based on bits and pieces I've read here and there that security groups and NACLs run on the hypervisor, so they don't reach the instance but they do reach the physical server. If you run Shield Advanced the docs say the NACLs can be hosted at the network edge for increased performance rather than the instance.

      – Tim
      Jan 28 at 6:40





      I believe based on bits and pieces I've read here and there that security groups and NACLs run on the hypervisor, so they don't reach the instance but they do reach the physical server. If you run Shield Advanced the docs say the NACLs can be hosted at the network edge for increased performance rather than the instance.

      – Tim
      Jan 28 at 6:40













      0














      In addition to the network considerations, think about service isolation. AD DS + DNS + File Server ideally are the only roles on domain controller hosts. Probably don't want a public web server on the same box as the credentials to your network.



      You can make the directory someone else's problem by using a hosted directory service. At the cost of less flexibility and learning opportunity.





      Secure networks are possible with a private or public IP. The difference is personal preference of how obvious you want to make the isolation.



      Let's look at "private subnet" and "behind a NAT gateway" independently.



      Separating an admin subnet from a public facing network subnet makes the boundary between the security zones obvious. At a glance, an IP is either internal or external. You can add AWS network ACLs or a third party firewall between them. (On top of security groups which are associated to instances, not subnets.)



      NAT gateway doesn't really add security. Incoming connections are not allowed, but that's also doable with security groups.



      NAT does conserve IPv4 addresses. Or, IPv6 with a egress-only Internet gateway uses zero IPv4 addresses.






      share|improve this answer




























        0














        In addition to the network considerations, think about service isolation. AD DS + DNS + File Server ideally are the only roles on domain controller hosts. Probably don't want a public web server on the same box as the credentials to your network.



        You can make the directory someone else's problem by using a hosted directory service. At the cost of less flexibility and learning opportunity.





        Secure networks are possible with a private or public IP. The difference is personal preference of how obvious you want to make the isolation.



        Let's look at "private subnet" and "behind a NAT gateway" independently.



        Separating an admin subnet from a public facing network subnet makes the boundary between the security zones obvious. At a glance, an IP is either internal or external. You can add AWS network ACLs or a third party firewall between them. (On top of security groups which are associated to instances, not subnets.)



        NAT gateway doesn't really add security. Incoming connections are not allowed, but that's also doable with security groups.



        NAT does conserve IPv4 addresses. Or, IPv6 with a egress-only Internet gateway uses zero IPv4 addresses.






        share|improve this answer


























          0












          0








          0







          In addition to the network considerations, think about service isolation. AD DS + DNS + File Server ideally are the only roles on domain controller hosts. Probably don't want a public web server on the same box as the credentials to your network.



          You can make the directory someone else's problem by using a hosted directory service. At the cost of less flexibility and learning opportunity.





          Secure networks are possible with a private or public IP. The difference is personal preference of how obvious you want to make the isolation.



          Let's look at "private subnet" and "behind a NAT gateway" independently.



          Separating an admin subnet from a public facing network subnet makes the boundary between the security zones obvious. At a glance, an IP is either internal or external. You can add AWS network ACLs or a third party firewall between them. (On top of security groups which are associated to instances, not subnets.)



          NAT gateway doesn't really add security. Incoming connections are not allowed, but that's also doable with security groups.



          NAT does conserve IPv4 addresses. Or, IPv6 with a egress-only Internet gateway uses zero IPv4 addresses.






          share|improve this answer













          In addition to the network considerations, think about service isolation. AD DS + DNS + File Server ideally are the only roles on domain controller hosts. Probably don't want a public web server on the same box as the credentials to your network.



          You can make the directory someone else's problem by using a hosted directory service. At the cost of less flexibility and learning opportunity.





          Secure networks are possible with a private or public IP. The difference is personal preference of how obvious you want to make the isolation.



          Let's look at "private subnet" and "behind a NAT gateway" independently.



          Separating an admin subnet from a public facing network subnet makes the boundary between the security zones obvious. At a glance, an IP is either internal or external. You can add AWS network ACLs or a third party firewall between them. (On top of security groups which are associated to instances, not subnets.)



          NAT gateway doesn't really add security. Incoming connections are not allowed, but that's also doable with security groups.



          NAT does conserve IPv4 addresses. Or, IPv6 with a egress-only Internet gateway uses zero IPv4 addresses.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 28 at 3:29









          John MahowaldJohn Mahowald

          7,0881713




          7,0881713























              0














              It's not more secure assuming the firewall rules were created correctly and you only have one server. The reason why you would want a private IP range is because it allows communication between multiple servers to happen securely. Take for example a web server and domain controller. You would want the web server to be able to securely communicate with the domain controller over a private network and you would also want to allow outside access to port 80/443. To accomplish this, would simply port forward port 80 and 443 directly to the www server. This configuration would protect the domain controller traffic by not exposing it to the public network.






              share|improve this answer




























                0














                It's not more secure assuming the firewall rules were created correctly and you only have one server. The reason why you would want a private IP range is because it allows communication between multiple servers to happen securely. Take for example a web server and domain controller. You would want the web server to be able to securely communicate with the domain controller over a private network and you would also want to allow outside access to port 80/443. To accomplish this, would simply port forward port 80 and 443 directly to the www server. This configuration would protect the domain controller traffic by not exposing it to the public network.






                share|improve this answer


























                  0












                  0








                  0







                  It's not more secure assuming the firewall rules were created correctly and you only have one server. The reason why you would want a private IP range is because it allows communication between multiple servers to happen securely. Take for example a web server and domain controller. You would want the web server to be able to securely communicate with the domain controller over a private network and you would also want to allow outside access to port 80/443. To accomplish this, would simply port forward port 80 and 443 directly to the www server. This configuration would protect the domain controller traffic by not exposing it to the public network.






                  share|improve this answer













                  It's not more secure assuming the firewall rules were created correctly and you only have one server. The reason why you would want a private IP range is because it allows communication between multiple servers to happen securely. Take for example a web server and domain controller. You would want the web server to be able to securely communicate with the domain controller over a private network and you would also want to allow outside access to port 80/443. To accomplish this, would simply port forward port 80 and 443 directly to the www server. This configuration would protect the domain controller traffic by not exposing it to the public network.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 28 at 5:25









                  JoeJoe

                  47426




                  47426






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Server Fault!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f951031%2fin-aws-why-is-an-ec2-behind-nat-gateway-in-private-zone-said-to-be-safer-than-o%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      How to change which sound is reproduced for terminal bell?

                      Can I use Tabulator js library in my java Spring + Thymeleaf project?

                      Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents