Running Amazon ElasticBeanstalk instances in private subnets with no public subnets

2
votes

I have resources like Kinesis and DynamoDB in my AWS account that I want to access from my ElasticBeanstalk App. The ElasticBeanstalk App doesn't serve any web related traffic but just listens to a Kinesis Stream or some other resource and processes them writing them to a file of DynamoDB etc.

I had the following questions: 1. What is the best environment for this Web Server tier or Worker tier? My application is not serving any web traffic but at the same time the Worker tier seems to be something for batch jobs and is tied to an SQS queue. I can scale my Beanstalk env automatically based on network traffic and I tried this out on a Web Server tier a couple of times and worked well. 2. Can I put all my EC2 instances in a private subnet in case I just want to access the DynamoDB, Kinesis resources in my AWS account alone? 3. Why are most standard ElasticBeanstalk cloudformation templates broken into public and private subnets with instances being in private subnets and ELB and NAT Gateway being in public subnet. Is this more secure? If a hacker gets into the public subnet wouldn't they also be able to get into the private subnets and therefore into your application?

2
amazon-elastic-beanstalk

2 Answers

0
votes

If your instances only need to connect to other AWS services then you should:

  1. Detach and delete the internet gateway from your VPC to eliminate any chance of your instances, services, or account being inappropriately accessed by an outsider,
  2. Put your instances in a private subnet,
  3. Add VPC endpoints to your VPC to internally connect to Kinesis and DynamoDB over the AWS network, and...
  4. Configure your VPC to make use of the endpoints.

Please do not connect your instances to a NAT Gateway. That is not best practice for an application that is only connecting to AWS services, both of which offer VPC endpoints.

0
votes

If your Beanstalk app doesn't need to be visible to the public internet, then it would be best to configure it within private subnets.

  1. Hard to answer this based on the information in the question but it sounds like your current environment is suitable.

  2. Yes you can put your EC2 instances into a private subnet, and this would be recommended if they don't need public internet access. Your services should use PrivateLink if they need to communicate with other AWS services, but will need to use a NATGateway if this is not supported by the service.

    You would need an EC2 instance in a public subnet to connect to any private EC2 instances. You should apply security hardening to this public instance, and you can shut it down when you are not using it.

  3. Splitting private and public subnets is a standard security practice for the simple reason that you don't want critical services to be on the public internet. In theory a determined hacker could get to your private instances if they were in the public network, however you can lockdown public access as far as possible to prevent this (e.g. Web Application Firewall, Security Groups, ALB etc).