0

I have two basic setup for web application that reside behind ELB on Amazon Web Service.

Layout A:

        +-----+                                        
    +---+ ELB +----+                                   
    |   +-----+    |                                   
    |              |                                   
    |              |                                   
+---v-----+  +-----v---+           +---------------+   
| EC2/EIP |  | EC2/EIP +----+----> | HTTP RESPONSE |   
+---------+  +---------+    |      +---------------+   
                            |                          
                            |      +------------------+
                            +----> | EXTERNAL WEBSITE |
                            |      +------------------+
                            |                          
                            |      +-----+             
                            +----> | API |             
                                   +-----+

Layout B:

       +-----+                                              
   +---+ ELB +----+                                         
   |   +-----+    |                                         
   |              |                                         
   |              |                                         
+--v--+        +--v--+  +-----+         +---------------+   
| EC2 |        | EC2 +--+ NAT +--+----> | HTTP RESPONSE |   
+-----+        +-----+  +-----+  |      +---------------+   
                                 |                          
                                 |      +------------------+
                                 +----> | EXTERNAL WEBSITE |
                                 |      +------------------+
                                 |                          
                                 |      +-----+             
                                 +----> | API |             
                                        +-----+

I believe both architecture have pros and cons:

Layout A:

  • Does the web server send http response back to ELB? if it goes directly to user, will it gain performance response?
  • If I limit outgoing traffic for Http port only on security group, is there still any security threat?

Layout B:

  • is this design creating another layer of point of failure (NAT)?
  • Will it work for Oauth communication?
  • Can it work with 3rd party CI and Orchestration tools (jenkins, chef)?

Both design are working well, but which design is the best practise for infrastructure considering performance and security.

thanks

mboi.coy
  • 1
  • 1

1 Answers1

1

The short answer is that in both cases the traffic that hits the ELB is going back out through the ELB.

For layout A: for the requests that originate through the ELB only the inbound port matters as far as the SG is concerned.
for other things that originate on the EC2 instances and do traffic to the outside world you would need to open the ports that the services use

For layout B:
yes the NAT is a single point of failure. If you lose it you lose connectivity to the outside world.
yes. to the outside world the traffic will show as originating in the NAT box.

normally (in a normal setup) for inbound requests to your service you go through an ELB.
for traffic that needs to go outside and is originating in the VPC, you go through a NAT. to address single point of failures you have the option of high availability NAT setups, or if you run multi-region and you app is designed to support region failures you just need to monitor and catch NAT machine failures.

The big advantage of using a NAT is that not all machines that need to do outside traffic need to have an EIP and also the NAT machine can run a security hardened image. You basically set a clear boundary for your VPC and you can better secure it.

Mircea
  • 10,216
  • 2
  • 30
  • 46
  • +1 although I would add that the loss of the NAT instance would not break inbound requests coming though the ELB, unless the web server requires external resource access in order to fulfil the request (e.g. fetching data from a remote API) and NAT instances are best applied per-AZ, so not quite a single point of catastrophic failure. – Michael - sqlbot Jul 01 '15 at 11:18
  • agree. context of the question made it sound like the service is going outside the vpc to do some work. if it's all contained NAT failure should not impair the running service. – Mircea Jul 01 '15 at 15:48
  • What do you think with this AWS documentation http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html is there any logical reason why should use this design (using ELB on each instance)? – mboi.coy Jul 02 '15 at 02:27
  • in that design you have EIPs on each instance on the public subnet. EIP!=ELB. An ELB (Elastic Load Balancer) is going to distribute traffic to your instances based on load and is also going to ensure that unhealthy machines are taken out of rotation. With EIPs you have to to this yourself. – Mircea Jul 02 '15 at 04:37
  • sorry typos, *it's EIP for each instances – mboi.coy Jul 02 '15 at 06:09