Should I mount AWS EFS on public or private subnet?

Question

That simple question, couldn't find an answer in the docs.

Anyone knows the best practice for this problem?

I'm assuming its private but wanted to understand why if that is the case.

Answer 1

You should only place things in a public subnet that you want to be accessible from outside the VPC. Best practice is to only have your public load balancers, and your NAT gateways in your public subnet. This ensures an extra level of network security by making sure your important resources are only accessible from inside the VPC.

So in this case, you would want to place your EFS mounts inside your private subnets.

Answer 2

In AWS, we usually use private subnet for most service integrations. Some of the services do not work when attached to public subnet. e.g. Lambda when attached to the VPC, doesn't work properly if the public subnet is used. Same goes for Glue Jobs and Crawlers.

[Edit: Thanks to MarkB for contribution] It is because the ENIs for things like Lambda functions are not assigned a public IP address, only a private IP. So they need a route to a NAT Gateway in order to access things outside the VPC, and only private subnets can have a route to a NAT Gateway.