0

I have one web application that i want to open to the world. shall i simply create public subnet and add this instance to it OR shall i create private subnet, NAT, Load balancer and add this instance to it?

I want this application only accessible to certain IPs.

which way do you recommend and why? which is safest way and cost effective too?

Satish Kumar
  • 43
  • 1
  • 6
  • Hi Satish, your question seems to be quite broad. Could you narrow it down to a more comprehensive question? Also if you can add more information about your hoster and your web application, it would be very useful. Thanks! – Eugenio Nov 27 '19 at 10:36
  • @SatishKumar How many Amazon EC2 instances are required to run your application (just one, or should it scale across multiple instances)? – John Rotenstein Nov 28 '19 at 04:04
  • @JohnRotenstein let's consider only one for now. – Satish Kumar Nov 28 '19 at 05:55

2 Answers2

1

I will recommend instance in private subnet and as this is the safe approach is to launch an instance in private subnet and place LB on the top of your instance.

  • The big advantage of this approach is your instance secure and will not accessible form the public.

A high-level look or general example with private instance can be

enter image description here To access your private instance, you should have a one instance in public subnet from which you can access the instance, normally AWS called it bastion.

enter image description here

securing-your-vpc-using-public-and-private-subnets-with-network-acl

Adiii
  • 54,482
  • 7
  • 145
  • 148
  • If this is the safest way then why do we have public subnet and in what scenario we should use it? – Satish Kumar Nov 27 '19 at 10:28
  • The public instance is not supposed for application, but it will work like tunnel to access your private instance. how you will do ssh if this is in private subnet? – Adiii Nov 27 '19 at 10:30
  • so when we keep bastion in Public it means our bastion is also unsafe. right? – Satish Kumar Nov 27 '19 at 10:32
  • No, you should set firewall for bastion and you can configure VPN with multifactore auth so you can say then its safe. 2fa, spefic IP and VPN keys can make thing more secure – Adiii Nov 27 '19 at 10:35
  • 1
    how safe is when i keep instance in public and only allow some IPs to access it? – Satish Kumar Nov 27 '19 at 10:36
  • its mean how secure AWS SG, https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html – Adiii Nov 27 '19 at 10:37
  • yeah i mean only allow some IP in security group, is it still vulnerable if yes then why? is it because of Internet? – Satish Kumar Nov 27 '19 at 10:38
  • not allow ssh in bastion, untill its connect with VPN having 2fa . placing VPN on top of that can make it more secure. – Adiii Nov 27 '19 at 10:40
  • What if i keep instance in public subnet and in security group allow inbound traffic 443 to certain IPs? – Satish Kumar Nov 27 '19 at 10:46
  • Its also fine, btw you can also use aws web application fire wall for such purposes – Adiii Nov 27 '19 at 10:57
  • if i keep open security group for certain IPs, I am quite unsure whether it is safe or not because there are multiple Hops b/w that IPs and AWS IPs. am i correct ? and that application can be accessible from that Hops? – Satish Kumar Nov 27 '19 at 11:11
1

If you only have one instance:

  • There is no need for a Load Balancer, since no traffic needs to be balanced
  • There is no need for a Private Subnet, but it needs to be publicly accessible
  • Use a Security Group to restrict access to the minimum ports that should be accessible (eg port 80, 443) and also the ability to login (but restrict that to only your IP address)

If you have multiple instances, it would then require a Load Balancer. In this situation:

  • Put the Load Balancer in a public subnet
  • Put the instances in a private subnet for additional security

However, you could actually keep everything in a public subnet and merely use Security Groups to control access. The normal goal with security is that multiple layers of security make things safer. However, the design choice is up to you.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • You are absolutely right I was also thinking the same but my question is how much safe we are if we keep open security group only for some IP? Data packet will flow from AWS IPs to the IPs using Hops, right? so that application is also accessible from that hops until we use VPN tunnel with AWS? please correct me. – Satish Kumar Nov 28 '19 at 06:11
  • 2
    Security Groups work as documented. Therefore, if the configuration is what you desire, then your requirements will be satisfied. The wider question of "how safe" something is depends on people and processes, because they might configure things incorrectly or release 'secret' information. – John Rotenstein Nov 28 '19 at 06:14