"Private Subnets + NAT Gateways" versus "Security Groups"

[bs-thomas]

Hello there,

First of all I would like to express a big thank you to you guys for making such a beautiful CF template example for us all to reference on. This example has explained to me how I pass resources beautifully without spaghetti links and loopback issues.

If you don't mind I would like to ask a quick question related to the choice of approach for VPC on the CF template.

---

Problem and Goal

I understand that for security issues, our goal here is, ECS instances should not be accessible from the Internet, but ECS instances needs to be able to "connect out" if in any case this is necessary (downloading packages etc.)

Approach A - by ecs-refarch-cloudformation

I noticed (at least I think) that in the template you guys have made use of private subnets and NAT gateways to achieve this goal.

Approach B - by me (bs-thomas)

To be honest, before I saw this CF template, I had built a cheap amateur version of a similar stack (with much less features of course) and have been using it for some time.

The approach I used to achieve the above goal is to simply declare some security groups for these ECS instances to block the traffic out from the Internet. (On a side note, I have also added a "backdoor" for my company's IP address to be able to access the underlying instances in case we have to do something about them, which is prety convenient)

This achieves a "similar" effect (probably not same), but cheaper approach as I do not need to employ NAT gateways.

My Question

I assume there is a difference, but I don't know what that is and wanted to ask experts like you guys out there.

So my question is, I want to know the pros and cons for the (a) and (b) approaches.

If you guys can shed me some light I'd be highly appreciated!

[timzuiddam]

Sorry for this very late reaction, but the answer to this is pretty simple; it's called layered security.
That said; if this will be the only thing living inside your VPC and you are also the only person working on the infra, a closed down SG will suffice..