Blog Amazon Web Services Why You should NOT have a Way Out to the Internet from...
Way Out to the Internet from Main Route Table

Why You should NOT have a Way Out to the Internet from Main Route Table

In-depth knowledge of Virtual Private Cloud (VPC) and its related components viz. Subnets, Route tables & Internet Gateway is a must before you appear in any AWS Certification exam. Sometimes even the seasoned professionals miss-out on a specific nitty-gritty of a topic that may lead to losing a few marks in the exam. Here in this article, we’re going to explore such a concept that has generated more than a dozen queries in our helpdesk system.

Covering this topic is recommended for all the aspirants preparing for any of the AWS certifications.  But if you are preparing for the AWS Certified SysOps Administrator Associate exam or AWS Certified Solutions Architect Associate exam, It is mandatory to cover this topic.

AWS Certified Solutions Architect Associate Online Course

Why You should NOT have a Way Out to the Internet from Main Route Table

Or this can be rephrased as:

Why it’s Not a Good Security Practice to Associate the Public Subnet with Main Route Table?

To put things into perspective here’s a question (see below screenshot) that will tickle you to think about the Route Tables & Subnets in AWS VPC.

You are the Systems Administrator for a Company. You have been instructed to create a VPC setup which has a public and private subnet. The public subnet needs to have a NAT Gateway which will be used to route traffic to the internet for instances in the private subnet. Which of the following routing entries would you create in the respective main and custom route tables. (Choose 2 Answers from the options given below).

  1. In the main route table add a route with destination of 0.0.0.0/0 and the NAT Gateway ID.
  2. In the main route table add a route with destination of 0.0.0.0/0 and the Internet Gateway ID.
  3. In the custom route table add a route with destination of 0.0.0.0/0 and the NAT Gateway ID.
  4. In the custom route table add a route with destination of 0.0.0.0/0 and the Internet Gateway ID.

You are working as a System Administrator in a company. As per the instructions, you need to create a VPC setup that has a private and public subnet. The public subnet requires a NAT gateway that will be used to route traffic to the internet for Instances in the private subnet. Which of the following routing entries will you create in the respective main and custom route tables?

And the solution will be –

  • By adding a route with a destination of 0.0.0.0/0 and the NAT gateway ID in the main route table, and
  • Adding a route with the destination of 0.0.0.0/0 and the internet gateway ID in the custom rouble table.

For the above scenario, we received feedback that basically revolved around the following:

  • The scenario doesn’t specify which route table is for the public or private subnet

Now why the above scenario doesn’t need to explicitly mention the respective Subnet associations with Route Table. Read on to understand this.

Must Read: Free AWS Solutions Architect Associate Exam Questions

Here’s a primer of Route Tables for Uninitiated

Let us read an extract from Amazon documentation:

When you create a VPC, it automatically has the main route table. On the Route Tables page in the Amazon VPC console, you can view the main route table for a VPC by looking for “Yes in the Main column. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. You can add, remove, and modify routes in the main route table.

The above statement concludes the following:

  • Your VPC automatically comes with the main route table that you can modify.
  • You can create additional custom route tables for your VPC.
  • Each subnet must be associated with a route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly associated with the main route table.

Also Read:

Build Your First Virtual Private Cloud (VPC) in AWS

Simplifying Ephemeral Ports with Example

Demystifying DNS Records

So, Why You should NOT have a Way Out to the Internet from Main Route Table

Keeping in mind the best security practices, you should not have a way out to the internet from Main Route Table.

This is because every time you create a new subnet, it’s going to be associated by default with the Main Route Table. Or to rephrase this, when a subnet has not been associated with any Route Table it is going to be associated with the Main Route Table. So, if the Main Route Table has a route out to the internet, every subnet which is not explicitly attached with any Route Table is public by default and that may create a security risk.

Keeping the above statements in mind, we can infer the following as good practice:

A custom route table should be associated with the public subnet. This route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC over IPv4. And an entry that enables instances in the subnet to communicate directly with the Internet.

The main route table should be associated with the private subnet. This route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC over IPv4, and an entry that enables instances in the subnet to communicate with the Internet through the NAT gateway over IPv4.

So, it’s the reason the scenario has not explicitly mentioned about what Route Table is associated with the Public/Private subnet. And why you should not have a Way Out to the internet from Main Route Table.

Hope this explanation will help you in your preparation for the AWS certifications. Whizlabs is highly determined to help you in your certification preparation. So, if you are looking for any online study material or the practice material for AWS certifications preparation, check out Whizlabs AWS Certifications Training now.

Also, if you want to discuss your doubts with the AWS experts, just submit your query at Whizlabs Forum and get connected with the industry experts.

References

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html

About Pavan Rao

Programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. - "May the Force of Cloud Computing be with You"
Spread the love

LEAVE A REPLY

Please enter your comment!
Please enter your name here