menu
Architect's Log: Building the Bridges

Architect's Log: Building the Bridges

posted Originally published at www.linkedin.com 1 min read

ARCHITECT’S LOG | Episode 11: Building the Bridges

"Isolation is great for security, but eventually, your resources need to talk to the world."
Last time, i organized the VPC into "rooms" (subnets). This week, I mastered the two main ways we let traffic flow in and out: Internet Gateways (IGW) and NAT Gateways.

Think of it as the difference between a main entrance and a one-way security exit. Here is the technical breakdown:

  1. The Internet Gateway (IGW): The Main Entrance
    An IGW is a horizontally scaled, highly available component that allows communication between your VPC and the internet.
    Two-Way Street: It allows both inbound and outbound traffic.

Architect's Requirement: To actually have internet access, you need three things simultaneously: an IGW attached to the VPC, a route in your subnet table pointing to that IGW, and a Public IP on your instance.

  1. Elastic IPs: The Permanent Address
    Sometimes a standard public IP isn't enough because it changes when you stop an instance.
    Static & Persistent: An Elastic IP (EIP) is a static public IPv4 address that stays with you until you release it.
    SURVIVAL: It survives instance stop and start cycles, making it perfect for fixed endpoints.

  2. NAT Gateways: The One-Way Security Exit ️
    What if your database needs to download a software update from the internet, but you don't want anyone on the internet to be able to reach the database?
    Private Outbound: NAT Gateways allow instances in Private Subnets to connect to the internet while preventing the internet from initiating a connection with them.

Managed vs. Instance: While you could use an old-school NAT Instance, a NAT Gateway is a managed service that scales automatically and is much easier to maintain.

The Architect’s Take
A professional architect always follows the Principle of Least Privilege. If a server doesn't need to be reached from the outside, put it in a private subnet and use a NAT Gateway for its outbound needs. It’s the simplest way to reduce your "attack surface" while keeping your systems functional.

Next Episode: We head back to storage for the "Security Edition": S3 Security & Policies.
Watch this space every Friday.

Kindly like, share and follow.

More Posts

What Is an Availability Zone Explained Simply

Ijay - Feb 12

Why most people quit AWS

Ijay - Feb 3

Entry-Level Careers You Can Start After Learning AWS

Ijay - Feb 10

AWS Account Locked! How One IAM Mistake Cost Me

Ijay - Mar 18

Can a Non-Technical Person Understand AWS

Ijay - Apr 16
chevron_left

More From Opeyemi Ogunsanya

Architect's Log: AWS VPC Subnet & Routing Learning

Architect's Log: AWS S3 Learning

How to Search in VS Code Faster Using Regex (With Examples)

Related Jobs

View all jobs →

Commenters (This Week)

5 comments
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!