Can I put nginx on public subnet and the webserver[s] on private subnet of AWS VPC?

0
votes

I am a bit confused by VPC. I have a web app I would like to install. I think using proxy it may be possible to have only small nginx running instance on public subnet and have the actual webserver[s] for the app on private subnet. Many things I have read have the webserver on public subnet and things like the database private. But it seems to my reading that the webserver could be in private subnet. Is this the case?

The next level of confusion is API Gateway vs CloudFront and CloudFront interaction with nginx. I want to use AWS free certs (ACM) with my web app.

2
amazon-web-servicesnginxamazon-vpc

2 Answers

2
votes

Using a proxy or load balancer in a public subnet and your web servers in a private subnet is a best practice. In general, you should be exposing as few servers/services as possible.

I'd recommend using an Application Load Balancer or a Network Load Balancer, unless you have some specific need for an Nginx front end. You'll need multiple Availability Zones for an ALB or NLB

Also, ALB and NLB are AWS managed services, so you don't need to spend resources monitoring your reverse proxy (NGINX) for failure scenarios.

References

AWS Web Hosting Best Practices

AWS Reference Architecture

0
votes

Well, Little add-on to kenlukas Answers and leftover part.

The next level of confusion is API Gateway vs CloudFront and CloudFront interaction with nginx. I want to use AWS free certs (ACM) with my web app.

  1. ALB and NLB are AWS managed services.So,you don't need to spend time monitoring the your own Reveres-proxy(NGINX) for failure scenarios.
  2. One more good reason to user AWS managed loadbalncer is you can integrate certificate easily. Here you go:getting-a-free-ssl-certificate-on-aws-a-how-to-guide
  3. For cloudfront and API-gateway not sure about your detailed use-case but this thread might give you details about caching aspect.