0

I've been researching best practices for setting up a web application on AWS. I've setup my db tier in a private subnet. I also have a public subnet for nat instances, bastion host, elb, etc. My question is, is there any advantage in having my beanstalk instances deployed to a private subnet or should I just put them in the public subnet. The AWS article series, Develop, Deploy, and Manage, puts the web servers in a private subnet, but I've seen many others put them in a public one. So I'm confused as to where the web servers should go and the pros/cons of each approach.

[EDIT]:

This is for a public facing website, not an internal one. Just in case it matters.

fbhdev
  • 103
  • 2

1 Answers1

0

The default should be to put them in a private subnet. The main reason for this is security. By putting your EC2 instances in a public subnet, you're opening them up to individual attack.

There are some very bad reasons why people put the EC2 instances in a public subnet:

  1. They want them public for Administrative access.
  2. They want to avoid the costs of running a NAT.
  3. They simply don't know any better.

None of the above reasons are valid reasons.

There are 2 valid reasons why you may want your EC2 instances in a public subnet:

  1. The individual EC2 instances need to be accessed directly by the general public for some reason. But if you have an ELB, then this would be rare.

  2. Your EC2 instances require enough outgoing bandwidth when accessing the internet through the NAT that the biggest NAT cannot keep up. To resolve this, your instances could be in a public subnet using the VPC Internet Gateway.

Unless one of these apply, use a private subnet.

Matt Houser
  • 9,709
  • 1
  • 26
  • 25