AWS Public WebServers to NOT directly reachable from Outside by their IPs?

Question

Since i'm totally not a Network Admin, i have no idea how to design it or even possible or not. I'm using AWS and EC2 instances. But now for some security reasons, i am told to use VPC and Private Subnets.

I don't have knowledge good enough but -

• Is it possible to put all my current public WEB SERVERS into a Private Network? The goal is to prevent the WEBSERVERS from the direct Public Reachability (using their Public IP) except by the Load-balancer in front of them.

So lets say i have 2 WEBSERVERS (load-balanced) for the site www.example.com:

• Web-A (202.1.2.3)
• Web-B (202.4.5.6)

That means currently those are reachable by their Public IPs.

• Then can i make those not reachable by IPs from Outside but still to serve the www.example.com to Public? (Is that what VPC + Private Subnets, for?)

I'm sorry for my confusion. Any suggestion on this please?

Answer 1

Yes, what you described is a good way to architect your VPC. Your web servers can be in private subnets that access the Internet through a NAT server. Inbound connections from clients will be proxied by a load balancer, usually an ELB. So the flow looks like this:

Clients <=> Load Balancer/ELB (Public subnets) <=> Web/App Servers (Private subnets) <=> Database servers (private subnets)

In this architecture the load balancer listens on ports 80 and 443 and terminates SSL connections. The load balancer has a routable public IP address and sends traffic to the web servers on a port of your choosing, perhaps 8080. The web servers have only private addresses and are not publicly accessible.

I humbly submit a talk on VPC architecture I did recently. See the slides here.