In this post, I will attempt to explain how to deploy Web Servers in private subnets. The common deployment pattern followed by newbies is to deploy Web Servers in public subnets or edge network and use an Elastic Load Balancer to route traffic to them. However, one may want to deploy such servers in private subnets or core network owing to better security and/or company network policies. So let us skip the fluff and get down to the nitty gritty.
Assumptions
I assume the reader is modestly aware of AWS services like Elastic Compute Cloud (EC2), Elastic Load Balancer (ELB); has knowledge of Virtual Private Cloud (VPC) and can spin up EC2 instances.
I assume the reader is modestly aware of AWS services like Elastic Compute Cloud (EC2), Elastic Load Balancer (ELB); has knowledge of Virtual Private Cloud (VPC) and can spin up EC2 instances.
Objective
The objective is to present a highly available (in a single region) and secure deployment solution for a set of Web Servers.
Explanation
I shall use the diagram below, to explain the deployment.
The objective is to present a highly available (in a single region) and secure deployment solution for a set of Web Servers.
Explanation
I shall use the diagram below, to explain the deployment.
The solution has the following
significant components:
- The solution spans two AZs to provide high availability.
- Subnets - Each AZ has a pair of private and public subnets.
- Two private subnets meant to house the Web Servers
- Two public subnets meant to house the ELB nodes, NAT instance/s and bastion host/s
- Internet Gateway
- An Internet Gateway attached to the VPC
- Security Groups
- A security group (demo-public-secgrp) for the NAT instance and ELB nodes in the public subnets which allows HTTP and HTTP(S) traffic from any source
- An internal security group (demo-private-secgrp) for all Web Server instances in the private subnets that allows HTTP and HTTP(S) traffic originating only from the instances behind the public security group. This security group also allows SSH traffic originating only from the instances behind the bastion security group (demo-bastion-secgrp: described below)
- A special security group (demo-basion-secgrp) for the bastion host deployed in the public subnet that allows SSH access (@ port 22). Ideally, SSH/RDP access should be allowed from trusted networks only (like home/office networks) and should not be opened for ALL (0.0.0.0/0). However for the purpose of this example, I have kept the SSH access to the bastion host open to all.
- Route Tables
- A route table for the public subnets to route all VPC local traffic and Internet bound traffic to the Internet Gateway
- A route table for the private subnets to route all VPC local traffic and Internet bound traffic to the NAT instance in the public subnet. The instances in the private subnet cannot access the Internet directly. They have to go via the NAT instance.
- NAT Instance
- A NAT instance deployed in one of the public subnets and placed behind the public security group (demo-public-secgrp). The Web Servers in the private subnet uses this NAT instance to access the Internet.
- Bastion Host
- A bastion host deployed in one of the public subnets and placed behind the special security group (demo-basion-secgrp). The bastion host is used to administer the Web Servers in the private subnets
- EC2 Instances
- One EC2 instance in each AZ, deployed in the private subnet behind the internal security group- demo-private-secgrp
- These instances house the Web Servers (like Apache HTTP Server)
- Elastic Load balancer
- An application load balancer deployed across the public subnets in the two AZs and placed behind the public security group (demo-public-secgrp)
- The target group of the application load balancer has the EC2 instances as the registered targets
Points to ponder
- NAT gateway could be used in place of a NAT instance, in the public subnet. In fact, NAT gateways are recommended as they provide better availability and bandwidth over NAT instances. The NAT gateway service is also a managed service that does not require administration efforts.
- The bastion host could be deployed in a separate subnet to reduce the blast radius of any attack and should be hardened to reduce attack vectors.
- In Production, instead of storing private SSH keys in the bastion hosts which leads to security vulnerability, place them in local computer and use SSH agent forwarding to connect to the EC2 instances in a private subnet through the bastion host (Here's a relevant post by Mike Pope explaining how to establish SSH agent forwarding)
- NAT instance/s and bastion host/s could be deployed in a high availability mode.
- In the diagram above, I have chosen to distribute the ELB traffic across two manually created EC2 instances. An auto-scaling group might be used for higher elasticity.
- I have chosen to use the default NACL that comes along with the custom VPC. This NACL allows all inbound and outbound traffic, by default. However, some rules could be added to the NACL purely based on needs.
Nice Post! It is really interesting to read from the beginning & I would like to share your blog to my circles, keep your blog as updated.
ReplyDeleteRegards,
AWS Course in Chennai | Amazon Web Services Training in Chennai
This could be one of the most useful blogs I have ever come across on this technology. I am a newbie to this technology. Great work admin.
ReplyDeleteBest Institute for Cloud Computing in Chennai
Cloud Computing Courses in Chennai
Useful blog admin, this is what I have looked for. Share more like this.
ReplyDeleteAWS Training in Chennai | AWS Training institutes in Chennai
It was really a nice post and i was really impressed by reading this AWS Online Course
ReplyDeleteI would assume that we use more than the eyes to gauge a person's feelings. Mouth. Body language. Even voice. You could at least have given us a face in this test.
ReplyDeleteSelenium training in Chennai
Selenium training in Bangalore
Outstanding blog with lots of information. Keep posting more like this.
ReplyDeleteAWS Certification in Chennai
AWS course in Chennai
DevOps certification in Chennai
DevOps Training in Chennai
Data Science Course in Chennai
Data Science Training in Chennai
AWS Training in Velachery
AWS Training in Tambaram
I am very happy to visit your blog. This is definitely helpful to me, eagerly waiting for more updates.
ReplyDeleteMachine Learning Course in Chennai
Machine Learning Training in Chennai
RPA Training in Chennai
Data Science Training in Velachery
Data Science Course in Chennai
Thank your valuable content.we are very thankful to you.one of the recommended blog.which is very useful to new learners and professionals.content is very useful for hadoop learners
ReplyDeleteBest Spring Online Training Institute
Best Devops Online Training Institute
Best Datascience Online Training Institute
ReplyDeleteThank you for sharing the article. The data that you provided in the blog is informative and effective. Thanks for the great article this is very useful info thanks for the wonderful post. Best AWS Training Institute
Great Article
ReplyDeleteIEEE Projects on Cloud Computing
Final Year Projects for CSE
JavaScript Training in Chennai
JavaScript Training in Chennai
Nice blog post on AWS
ReplyDeleteAWS Training in Chennai | AWS Training Institute in Chennai | Best AWS Training in Chennai | AWS Training Class in Chennai | AWS Training Center in Chennai
if ur interested in learning AWS course please visit our website
ReplyDeleteAWS Training in Hyderabad
I read this post your post so nice and very informative post thanks for sharing this post
ReplyDeleteLearn AWS Online
AWS Certification Online
Nice Article!
ReplyDeleteThanks for sharing with us 🙂
liposuction operation cost