Comparison between AWS RDS instances with ‘Publicly Accessible = No’ setting and those in private subnets

Private subnet instances can function with just a private IP address, as their internet traffic is directed through the NAT located in the public subnet. However, if you wish to access the internet via a private subnet or a subnet without a public IP or with auto-assign public IPv4 disabled, you must establish a NAT instance or gateway with a public IP address. This will enable your service or instance with a private IP address to connect to the internet and download necessary updates, software, and packages.


As I work on building infrastructure for my web application on AWS, I realize that I require a MySQL RDS instance. I am now considering whether to create the RDS instance in a public subnet and modify its settings, or create it in a private subnet for added security. I am unsure which option would provide better security measures.

I came across an article indicating that assigning a security group to an instance can serve as a firewall. This means that I can create an RDS instance with
publicly accessible
=true and limit access only to my application’s EC2 instance through its security group. In summary, I have three alternatives available.

  1. An RDS instance named <a class=”text-blue-600″ href=”” title=”Migration of EC2 instance to a different subnet“>
    Public Subnet
    </a> has been made available to the public and can only be accessed by the EC2 application instance through a security group.

  2. The RDS instance in <a class=”text-blue-600″ href=”” title=”AWS public subnet and private subnet traffic“>
    </a> is not accessible to the public.

  3. <p>
    RDS instance in private subnet.

Could someone outline the advantages and disadvantages relating to security for the aforementioned methods?


It’s true that Security Groups can offer adequate safeguarding for both your database and Amazon EC2 instances.

AWS offers public/
Private Subnets
because it is a popular choice among customers who prefer to use traditional network organization before transitioning to the cloud. Unlike traditional firewalls that only function between subnets, Security Groups operate on a per-instance basis.

Knowing how to properly set up Security Groups eliminates the necessity of utilizing Private Subnets. Nevertheless, certain individuals prefer deploying assets in
private subnets
due to the supplementary security it offers.

Frequently Asked Questions