I'm experimenting with hosting Postgres on an EC2 instance instead of using RDS, which I know is the recommended approach. Currently, I have an Internet Gateway (IGW) and NAT in the public subnet, while my EC2 instance is located in a private subnet. I'm looking for advice on the best practices for setting up a Postgres and Docker instance without relying on a NAT. What are some better approaches for this configuration?
4 Answers
You really should not place your EC2 instance in a public subnet for best practices. Instead, keep your databases off world-facing networks entirely. Make sure your security groups are configured to only allow necessary access.
For running Postgres on EC2 in a private subnet without NAT, here's a solid no-NAT pattern:
- Use SSM Session Manager for admin access instead of SSH to keep it secure.
- Set up VPC endpoints for private communication and an S3 gateway for package installation and backups.
- To manage Docker images, use ECR to avoid pulling from Docker Hub over the internet.
- For patching, leverage SSM Patch Manager with the S3 endpoint.
- Make sure to keep your security groups tight—only allow access from app SG and no open access to the internet.
If your EC2 instance doesn't need to connect to the internet at all, you could consider using CloudFront’s VPC feature to expose your instance publicly. You might not need a NAT if you don’t require internet access for your instance. Also, check out 'fck-nat' if you're looking for cost-effective solutions.
In my organization, we set up IGW & NAT for access, but we tighten up our security groups. We create a security group that allows outbound access to all ports temporarily when installing software. After installation, we restrict it again. It involves a bit of hassle, but it's essential for security. Just keep in mind that RDS is there for a reason, to simplify a lot of this.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux