3

I am trying to setup a highly available AWS Magento deployment. There is a reference deployment here: http://docs.aws.amazon.com/quickstart/latest/magento/architecture.html

Based on this, I want to build my own and I like his idea where only the NAT instances are in the public subnet.

The RDS instances and the webservers are both behind the NAT in the private subnets. I find this a departure from most of my understanding so far which was that the webserver had to be in the public subnet to be able to be accessible from the Internet.

What I am missing is how to configure the NAT instance running in the public subnet to port-forward port 80/443 to the corresponding webserver behind the NAT in the private subnet. I don't believe this can be done through Security Groups on the NAT instance alone.

Ali
  • 290
  • 4
  • 10

2 Answers2

4

You typically would not use the NAT instance, which is really more correctly called a PAT (port address translation, a subset of NAT) instance, for this purpose. The NAT instance exists to provide instances on private subnets with outbound access to the Internet and most AWS services (for example, SQS or SNS) -- the outbound request traffic initiated by instances on private subnets (which only have private IP addresses, by definition) is masqueraded through the NAT instance's public IP address. It's possible to configure the NAT instance with static port mappings or more sophisticated access to internal services, either via iptables or by running a reverse-proxy on the NAT instance, but this is not the typical configuration.

Accessibility to the web servers via the Internet is shown in Figure 2 of the linked documentation. The Elastic Load Balancer, deployed in the public subnets, has public IP addresses, as well as private IP addresses. It accepts traffic from the Internet on the public side, and forwards it to your web servers on the private side.

The ELB provides a single logical point of access to all of the Instances inside from outside, and will not forward traffic to instances it does not consider "healthy."

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
  • This is correct. The NAT instance's primary job is to enable internal hosts to access resources outside the VPC. For hosts that will be providing services to external clients, assign an EIP and let AWS handle the 1:1 NAT for you. – EEAA Sep 23 '15 at 01:41
  • @EEAA, thanks. Your comment made me realize I originally left too much unspoken about what NAT instances are actually for. – Michael - sqlbot Sep 23 '15 at 02:42
  • Thanks. It seems I have missed the value provided by the ELB here. I had assumed ports were opened using iptables, but you have pointed out the ELB is responsible for doing the mapping from public to private IP for incoming requests. – Ali Sep 23 '15 at 05:09
0

I wrote a post about it with few practical rules:

https://thepassionatecraftsman.com/where-to-put-your-server-in-a-private-or-public-subnet-ab1fa971269c#.hwx0gsaiy

rtacconi
  • 745
  • 4
  • 14
  • 28