In-depth knowledge of Virtual Private Cloud (VPC) and its related components viz. Subnets, Route tables & Internet Gateway is a must before you appear in any AWS Certification exam. Sometimes even the seasoned professionals miss-out on a specific nitty-gritty of a topic that may lead to losing a few marks in the exam. Here in this article, we’re going to explore such a concept that has generated more than a dozen queries in our helpdesk system.
Covering this topic is recommended for all the aspirants preparing for any of the AWS certifications. But if you are preparing for the AWS Certified SysOps Administrator Associate exam or AWS Certified Solutions Architect Associate exam, It is mandatory to cover this topic.
Why You should NOT have a Way Out to the Internet from Main Route Table
Or this can be rephrased as:
Why it’s Not a Good Security Practice to Associate the Public Subnet with Main Route Table?
To put things into perspective here’s a question (see below screenshot) that will tickle you to think about the Route Tables & Subnets in AWS VPC.
You are the Systems Administrator for a Company. You have been instructed to create a VPC setup which has a public and private subnet. The public subnet needs to have a NAT Gateway which will be used to route traffic to the internet for instances in the private subnet. Which of the following routing entries would you create in the respective main and custom route tables. (Choose 2 Answers from the options given below).
- In the main route table add a route with destination of 0.0.0.0/0 and the NAT Gateway ID.
- In the main route table add a route with destination of 0.0.0.0/0 and the Internet Gateway ID.
- In the custom route table add a route with destination of 0.0.0.0/0 and the NAT Gateway ID.
- In the custom route table add a route with destination of 0.0.0.0/0 and the Internet Gateway ID.
You are working as a System Administrator in a company. As per the instructions, you need to create a VPC setup that has a private and public subnet. The public subnet requires a NAT gateway that will be used to route traffic to the internet for Instances in the private subnet. Which of the following routing entries will you create in the respective main and custom route tables?
And the solution will be –
- By adding a route with a destination of 0.0.0.0/0 and the NAT gateway ID in the main route table, and
- Adding a route with the destination of 0.0.0.0/0 and the internet gateway ID in the custom rouble table.
For the above scenario, we received feedback that basically revolved around the following:
- The scenario doesn’t specify which route table is for the public or private subnet
Now why the above scenario doesn’t need to explicitly mention the respective Subnet associations with Route Table. Read on to understand this.
Here’s a primer of Route Tables for Uninitiated
Let us read an extract from Amazon documentation:
When you create a VPC, it automatically has the main route table. On the Route Tables page in the Amazon VPC console, you can view the main route table for a VPC by looking for “Yes” in the Main column. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. You can add, remove, and modify routes in the main route table.
The above statement concludes the following:
- Your VPC automatically comes with the main route table that you can modify.
- You can create additional custom route tables for your VPC.
- Each subnet must be associated with a route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly associated with the main route table.
So, Why You should NOT have a Way Out to the Internet from Main Route Table
Keeping in mind the best security practices, you should not have a way out to the internet from Main Route Table.
This is because every time you create a new subnet, it’s going to be associated by default with the Main Route Table. Or to rephrase this, when a subnet has not been associated with any Route Table it is going to be associated with the Main Route Table. So, if the Main Route Table has a route out to the internet, every subnet which is not explicitly attached with any Route Table is public by default and that may create a security risk.
Keeping the above statements in mind, we can infer the following as good practice:
A custom route table should be associated with the public subnet. This route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC over IPv4. And an entry that enables instances in the subnet to communicate directly with the Internet.
The main route table should be associated with the private subnet. This route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC over IPv4, and an entry that enables instances in the subnet to communicate with the Internet through the NAT gateway over IPv4.
So, it’s the reason the scenario has not explicitly mentioned about what Route Table is associated with the Public/Private subnet. And why you should not have a Way Out to the internet from Main Route Table.
Hope this explanation will help you in your preparation for the AWS certifications. Whizlabs is highly determined to help you in your certification preparation. So, if you are looking for any online study material or the practice material for AWS certifications preparation, check out Whizlabs AWS Certifications Training now.
Also, if you want to discuss your doubts with the AWS experts, just submit your query at Whizlabs Forum and get connected with the industry experts.
- Route 53 Policies: Latency-based Routing vs Geolocation Routing - January 22, 2019
- S3 One Zone IA vs S3 Standard IA – Which One to Use and When? - January 11, 2019
- AWS Launched Amazon DocumentDB (with MongoDB Compatibility) - January 11, 2019
- Why You should NOT have a Way Out to the Internet from Main Route Table - January 4, 2019
- Simplifying Ephemeral Ports with Example - December 31, 2018