Subnets should utilise a single exit route for outbound traffic, such as an Internet Gateway or a NAT, and not multiple external routes.
A key aspect of good network architecture is to maintain clarity and reduce complexity in order to lower maintenance and security burdens. Although it is possible to run a complex network, the cognitive load often outweighs the benefits, as increased complexity does not typically yield greater technical functionality but adds obstacles to knowledge and long-term maintenance. Simple networks can be just as functionally capable as more complex ones.
One important consideration is ensuring that subnets have a distinct and clear exit route to the internet, whether through an Internet Gateway or a single NAT. Multiple exit routes can lead to complicated traffic patterns that are not immediately obvious. For instance, a subnet that directs all traffic to a single NAT has a single known external IP address for all outgoing traffic. However, having multiple NAT routes in the routing table for different destination traffic can complicate analysis, as it requires extra computation to determine the route for logging, debugging and external identification.
Our preferred setup is to divide subnets into three categories: private subnets, NAT subnets and public subnets. Public subnets are necessary for resources that need internet connectivity via public IP addresses, such as load balancers and VPN services.
NAT subnets are for resources that should remain inaccessible to externally initiated connections but host services that still need to initiate connections to the internet for tasks like downloading resources. NAT subnets send their outbound traffic through a single NAT interface.
Private subnets should only communicate within the internal VPC network and should have no direct access to the internet. Private subnets typically host databases and other services that are available to the internal network only.
By organizing networks in this way, we can ensure that public subnets have direct access to an Internet Gateway, while NAT subnets will either route through a single VPC-wide NAT or an availability zone-specific NAT based on availability requirements. This makes the communication management easy as all traffic from a NAT subnet to the internet shows externally as the single IP address for that NAT to all destinations. Additionally, any outbound traffic from public subnets will come from the public IP address assigned to each resource without the utilisation of any network address translation. This provides a very clear origin of traffic originating from your network.
Review each route table for your subnets to identify any that are pointing to multiple exit points for your VPC. For those route tables that connect to both an Internet Gateway and / or multiple NAT gateways, adjust the rules to ensure that only one NAT or Internet Gateway is available for non-local traffic, ie. the global range (0.0.0.0/0). This configuration will designate the singular NAT as your exit point for any NAT subnets - providing a public IP address for all outbound traffic originating from those subnets - and ensure that all public subnet traffic uses the public IP address attached to each resource.
Uncover complex routes, including mixed external paths, with a comprehensive network scan and consultation:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
