Cloud VPC & Networking
Also Known As
VPC
subnet
security group
NAT gateway
TL;DR
Virtual Private Cloud — private subnets for databases/workers, public subnets for load balancers only, security groups as stateful firewalls.
Explanation
Public subnets have internet gateway route. Private subnets: no direct internet access. Security groups: stateful per-instance firewall, allow rules only. NAT Gateway: private instances make outbound requests. Best practice: RDS, ElastiCache, ECS in private subnets; only ALB in public.
Common Misconception
✗ Public subnets are less secure — security groups control access regardless of subnet type.
Why It Matters
A database in a public subnet is directly reachable from the internet — private subnets ensure it is only accessible from application servers.
Common Mistakes
- Database in public subnet
- SG 0.0.0.0/0 on port 22
- No VPC Flow Logs
- Forgetting SGs are stateful
Code Examples
✗ Vulnerable
# RDS publicly_accessible=true with open SG
✓ Fixed
# RDS in private subnet
# SG: allows 5432 only from app-sg
# App in private subnet behind ALB in public subnetTags
🤝 Adopt this term
£79/year · your link shown here
Added
16 Mar 2026
Edited
22 Mar 2026
Views
30
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 14
Perplexity 6
Ahrefs 2
Google 1
SEMrush 1
Also referenced
How they use it
crawler 24
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: High
⚡ Quick Fix
Place PHP-FPM servers and databases in private subnets — only the load balancer sits in the public subnet; use NAT Gateway for outbound internet from private subnet
📦 Applies To
any
web
cli
🔗 Prerequisites
🔍 Detection Hints
RDS database in public subnet; EC2 instance directly internet-facing with no load balancer; security group allowing 0.0.0.0/0 inbound
Auto-detectable:
✓ Yes
aws-config
scout-suite
prowler
⚠ Related Problems
🤖 AI Agent
Confidence: Low
False Positives: Medium
✗ Manual fix
Fix: High
Context: File