I have resources like Kinesis and DynamoDB in my AWS account that I want to access from my ElasticBeanstalk App. The ElasticBeanstalk App doesn't serve any web related traffic but just listens to a Kinesis Stream or some other resource and processes them writing them to a file of DynamoDB etc.
I had the following questions: 1. What is the best environment for this Web Server tier or Worker tier? My application is not serving any web traffic but at the same time the Worker tier seems to be something for batch jobs and is tied to an SQS queue. I can scale my Beanstalk env automatically based on network traffic and I tried this out on a Web Server tier a couple of times and worked well. 2. Can I put all my EC2 instances in a private subnet in case I just want to access the DynamoDB, Kinesis resources in my AWS account alone? 3. Why are most standard ElasticBeanstalk cloudformation templates broken into public and private subnets with instances being in private subnets and ELB and NAT Gateway being in public subnet. Is this more secure? If a hacker gets into the public subnet wouldn't they also be able to get into the private subnets and therefore into your application?