Auditors will want to know which isolation mechanisms you have put in place, and private subnets should be part of your isolation strategies.
Other use-cases:
- Legacy (or third-party) apps whose security model assumes they are behind some sort of private firewall.
- Hybrid deployment where you need to bridge on-premises (or other clouds) address space(s) with your VPC.
> Or, to ask it another way - what would be the downside of all your resources being in 1 single-Subnet VPC, spread evenly across AZs?
Note that a subnet cannot spread across AZs. So, even if you only need/want public subnets, you will want to deploy at least 1 public subnet per AZ.
Auditors will want to know which isolation mechanisms you have put in place, and private subnets should be part of your isolation strategies.
Other use-cases:
- Legacy (or third-party) apps whose security model assumes they are behind some sort of private firewall.
- Hybrid deployment where you need to bridge on-premises (or other clouds) address space(s) with your VPC.
> Or, to ask it another way - what would be the downside of all your resources being in 1 single-Subnet VPC, spread evenly across AZs?
Note that a subnet cannot spread across AZs. So, even if you only need/want public subnets, you will want to deploy at least 1 public subnet per AZ.