I am a bit confused by VPC. I have a web app I would like to install. I think using proxy it may be possible to have only small nginx running instance on public subnet and have the actual webserver[s] for the app on private subnet. Many things I have read have the webserver on public subnet and things like the database private. But it seems to my reading that the webserver could be in private subnet. Is this the case?
The next level of confusion is API Gateway vs CloudFront and CloudFront interaction with nginx. I want to use AWS free certs (ACM) with my web app.