I'm curious about the reasoning behind placing RDS and ElastiCache in separate private subnets within an AWS architecture. Since both services utilize their own security groups, isn't it sufficient to have them share a single private subnet?
3 Answers
The main reason for separating RDS and ElastiCache into different subnets is related to routing. Ideally, your RDS instance shouldn't be configured to access the internet at all, so it shouldn't have a route to a NAT gateway or internet gateway, which is standard in typical public/private subnet setups. This is why you see specific subnets for data services like RDS.
It's pretty common to have dedicated data subnets without any NAT routes for your data services. While the security benefit of separating ElastiCache and RDS isn't huge since both have their own elastic network interfaces and can use security groups, the bigger security plus comes from ensuring that your data services are in a subnet with no NAT access.
And don’t forget about ACLs! Splitting services into different subnets helps future-proof your architecture without a lot of hassle.