0

My current website architecture has two Ubuntu servers with public IPs in Rackspace Cloud. One of them is web and mysql server. The other one is for time-consuming calculations only. Both of them have Iptables which allow all outbound traffic and inbound HTTP, HTTPS, SSH and established connections. I connect to the servers with ssh using password, but this connection is protected with Fail2ban. I use unattended upgrades to keep the servers updated.

I'm moving to Amazon AWS and considering to change my current architecture to use a VPC with Public and Private Subnets. However, I have some doubts:

  • I would use a default (small) nat instance. I assume that it needs to keep updated, does it update automatically?
  • I would have three other instances: a web server in the public subnet and a mysql server and a computation server in the private subnet. How do I access each of these instances with ssh?
  • Is this architecture more secure than my current one?
Medical physicist
  • 103
  • 3

1 Answers1

1

To answer your questions:

  • No the instance does not auto-update you need to configure that (Amazon Linux is very much like CentOS - you will find instructions for that)
  • You use an instance which is reachable from the internet and hop to the instances in the private VPC from this one (gateway)
  • You just need to make sure your ACL and security groups are set correctly and monitor the internet-faced instances. The advantage of such an architecture (private subnets) is the fact of fewer instances which are internet-faced (which leads to a smaller point of attack.
Osterjour
  • 845
  • 8
  • 12