menu
Architect's Log: Building the Bridges

Architect's Log: Building the Bridges

1 3 9
calendar_todayschedule1 min read
— Originally published at www.linkedin.com

ARCHITECT’S LOG | Episode 11: Building the Bridges

"Isolation is great for security, but eventually, your resources need to talk to the world."
Last time, i organized the VPC into "rooms" (subnets). This week, I mastered the two main ways we let traffic flow in and out: Internet Gateways (IGW) and NAT Gateways.

Think of it as the difference between a main entrance and a one-way security exit. Here is the technical breakdown:

  1. The Internet Gateway (IGW): The Main Entrance
    An IGW is a horizontally scaled, highly available component that allows communication between your VPC and the internet.
    Two-Way Street: It allows both inbound and outbound traffic.

Architect's Requirement: To actually have internet access, you need three things simultaneously: an IGW attached to the VPC, a route in your subnet table pointing to that IGW, and a Public IP on your instance.

  1. Elastic IPs: The Permanent Address
    Sometimes a standard public IP isn't enough because it changes when you stop an instance.
    Static & Persistent: An Elastic IP (EIP) is a static public IPv4 address that stays with you until you release it.
    SURVIVAL: It survives instance stop and start cycles, making it perfect for fixed endpoints.

  2. NAT Gateways: The One-Way Security Exit ️
    What if your database needs to download a software update from the internet, but you don't want anyone on the internet to be able to reach the database?
    Private Outbound: NAT Gateways allow instances in Private Subnets to connect to the internet while preventing the internet from initiating a connection with them.

Managed vs. Instance: While you could use an old-school NAT Instance, a NAT Gateway is a managed service that scales automatically and is much easier to maintain.

The Architect’s Take
A professional architect always follows the Principle of Least Privilege. If a server doesn't need to be reached from the outside, put it in a private subnet and use a NAT Gateway for its outbound needs. It’s the simplest way to reduce your "attack surface" while keeping your systems functional.

Next Episode: We head back to storage for the "Security Edition": S3 Security & Policies.
Watch this space every Friday.

Kindly like, share and follow.

🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.
Join CoderLegion

More Posts

10 Proven Ways to Cut Your AWS Bill

rogo032 - Jan 16

How to Reduce Your AWS Bill by 50%

rogo032 - Jan 27

AWS Certifications Are a Building Block, Not the Final Destination

Ijay - Jun 16

3 Ways to Configure Resources in Terraform

Ijay - Apr 14

Learn AWS for Free Hands On Without Getting Charged

Ijay - Feb 24
chevron_left
Opeyemi Ogunsanya
759 Points13 Badges
opeyemiweb.dev
4Posts
3Comments
2Connections

More From Opeyemi Ogunsanya

Architect's Log: AWS VPC Subnet & Routing Learning

Architect's Log: AWS S3 Learning

How to Search in VS Code Faster Using Regex (With Examples)

Related Jobs

View all jobs →

Commenters (This Week)

4 comments
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!