1

I know that one way is to use a load balancer in a public subnet, but for a development server we wouldn't need a load balancer. Is there an alternative option that would allow an application in a private subnet to be reachable from the internet?

If not, then would the best option be to just leave the development server in a public subnet? The database instances would still be in a private subnet.

awsarchitecturequestions
  • 23
  • 1
  • 3

1 Answers1

10

An Amazon EC2 instance in a private subnet will never be directly reachable from the Internet, even if it has a public IP address. This is because a private subnet does not have a Route Table entry that connects the subnet to an Internet Gateway. This is intentional and desired.

So, your options are:

  • Put your instance in a Public Subnet instead of a Private Subnet, or
  • Create a VPN connection to the VPC so you can communicate with resources in the VPC, including the private subnet, or
  • Connect to an instance in the Public Subnet and use Port Forwarding to then obtain a connection with the private instance (see below), or
  • Use a Load Balancer or Proxy in the Public Subnet to forward traffic to the private subnet (one benefit is that it mimics the production setup)

Port Forwarding is a common technique to provide private connectivity to a resource that is not directly accessible. For example:

  • Public-Instance in the public subnet
  • Private-Instance in the private subnet
  • SSH into Public-Instance with port forwarding, which then establishes a connection to Private-Instance
  • Access resources on your local machine and it will actually forward the request to Private-Instance

A sample connection string would be:

ssh -i pemfile ec2-user@public-instance -L 8000:private-instance:80

Any request sent to your local computer's port 8000 would be forwarded to Public-Instance, which would then forward the request to private-instance:80. This will continue as long as the SSH session is in place.

Adam Smith
  • 3
  • 2
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thank you for the detailed response! I think it might be a good idea to re-evaluate my thought that the application should be in a private subnet. Would having the EC2 instance in a public subnet with a security group that only allowed HTTP, HTTPS, and SSH (restricted to bastion host security group) be effectively different from having the EC2 instance in a private subnet with HTTP traffic routed through a proxy server in a public subnet? – awsarchitecturequestions Mar 07 '19 at 03:02
  • I had originally considered using a load balancer for the development server EC2 instance as well because it would do exactly what I need, but I thought I surely must be overlooking something if I'm setting up a load balancer that is directing traffic to a single target group with only a single instance in it. It seemed like more of a work around in my mind. Am I looking at that in the wrong way? Is it a fairly commonplace thing to do? – awsarchitecturequestions Mar 07 '19 at 03:08
  • You would be perfectly okay never using private subnets (with an exception for allowing Lambda to access VPC resources _and_ the Internet). This is an old-fashioned concept that relates to the way networking equipment used to enforce security at the subnet-level. You can instead use Security Groups to enforce security at the instance-level. However, some security folks still like to use private subnets as an additional layer of security. For your dev resources, you should also lock-down the security groups to only _your_ IP range, so nobody else can access them. – John Rotenstein Mar 07 '19 at 03:13
  • That makes perfect sense. I will go ahead and set it up in a public subnet and use the security group then (and also restrict the IP range for SSH). Thank you once more for all of your insight, it has been really helpful! – awsarchitecturequestions Mar 07 '19 at 13:11
  • 1
    @JohnRotenstein - What exactly restricts a request to a Private Subnet EC2 instance if it has a public IP. Because request may arrive at VPC, VPC has IGW, IGW can translate Public IP to Private IP, and can redirect request to ec2 in private subnet. Here, I am unable to understand the lookup in route table for an inbound request. – Ankush Jain Dec 30 '21 at 12:02
  • @Ankush By definition, a private subnet does not have a Route Table entry that points to an Internet Gateway. Therefore, the Internet Gateway cannot communicate with resources in there private subnet. – John Rotenstein Dec 31 '21 at 03:10