Auto-sync: 2026-04-28 20:03
This commit is contained in:
41
wiki/concepts/Private-Subnet-Architecture.md
Normal file
41
wiki/concepts/Private-Subnet-Architecture.md
Normal file
@@ -0,0 +1,41 @@
|
||||
---
|
||||
title: "Private-Subnet-Architecture"
|
||||
type: concept
|
||||
tags: [AWS, Networking, Security]
|
||||
sources: [ctp-topic-7-saas-landing-zone-design]
|
||||
last_updated: 2026-05-06
|
||||
---
|
||||
|
||||
## Private-Subnet-Architecture
|
||||
|
||||
AWS VPC 私有子网架构原则 — 工作负载必须部署于私有子网,通过负载均衡器对外暴露服务的架构模式。
|
||||
|
||||
## Definition
|
||||
|
||||
私有子网架构是产品账户网络设计的核心原则:
|
||||
- **工作负载位置**:所有应用和服务(ECS、RDS、Lambda 等)部署于私有子网
|
||||
- **公网暴露**:仅通过公有子网的 Load Balancer(ALB/NLB)和 Internet Gateway 对外暴露
|
||||
- **安全优势**:减少公网攻击面,工作负载无需直接暴露公网 IP
|
||||
|
||||
## Role in SAS Landing Zone
|
||||
|
||||
在 [[ctp-topic-7-saas-landing-zone-design]] 定义的 Product Account 中:
|
||||
- **工作负载**:业务应用(Product workloads)必须部署于私有子网
|
||||
- **入站链路**:用户 → Internet Gateway → Load Balancer(公有子网)→ **工作负载(私有子网)**
|
||||
- **出站链路**:私有子网通过 NAT Gateway 或 VPC Endpoints 访问互联网或 AWS 服务
|
||||
|
||||
## Key Properties
|
||||
- **Type**: Network Architecture Pattern
|
||||
- **Workload placement**: Private subnets (no direct internet exposure)
|
||||
- **External exposure**: Via Load Balancers only
|
||||
- **In SAS LZ**: Product Account 网络设计原则
|
||||
|
||||
## Related Concepts
|
||||
- [[VPC-Endpoint]] — 私有访问 AWS 服务(无需 NAT)
|
||||
- [[Network-Segmentation]] — 网络分段策略
|
||||
- [[Defense-in-Depth]] — 纵深防御安全模型
|
||||
|
||||
## Connections
|
||||
- [[ctp-topic-7-saas-landing-zone-design]] — SAS LZ 产品账户网络设计原则
|
||||
- [[ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]] — 网络分段阻断 SaaS 直接连通性
|
||||
- [[ctp-topic-39-implementing-eks-in-the-aws-lab-landing-zone]] — EKS 在私有子网的部署实践
|
||||
Reference in New Issue
Block a user