Gruntwork
Why do you default to creating all three subnet tiers in the VPC module? #166
-
|
Why does the VPC module default to creating all three subnet tiers? Even looking at the CIS wrapping around the module, it still looks like all subnets will always be created. I would expect a minimum of subnets will be the best by default. And particularly not creating public subnets if they aren't strictly needed. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
You always need a Depending on your use case, you may be able to get away without any public access (air gapped app deployment) by leveraging AWS private links for the services that you do need access (e.g., s3 and ECR and pulling packages there). However, this is fairly cumbersome to implement and is typically not worth the cost in 90% of use cases. As such, we default to what we expect most customer organizations and team needs, which is the three subnet tiers we default to creating. Note that at each layer, you have the option to disable any tiers that you don't have a need for using the |
Beta Was this translation helpful? Give feedback.
You always need a
publicsubnet even for a purely private deployment of the VPC for the purposes of NAT routing. Without a public subnet tier, the nodes in the private tier will not be able to make outbound connections to the public.Depending on your use case, you may be able to get away without any public access (air gapped app deployment) by leveraging AWS private links for the services that you do need access (e.g., s3 and ECR and pulling packages there). However, this is fairly cumbersome to implement and is typically not worth the cost in 90% of use cases.
As such, we default to what we expect most customer organizations and team needs, which is the three subnet tiers we default to …