I am looking for a best practice to set up a reverse proxy providing access to a private instance (for example a web server).
I thought it would be possible to do this:
-
create a VPC with one private subnet
-
launch the reverse proxy instance, give it two NICs, on in the private subnet, one with the auto assigned public IP
-
launch the web server instance in the private subnet
This is not possible because the auto assigned public IP can't be assigned to a NIC.
Then, I found an article outlining Amazon's recommended practice to do this.
- Set up a VPC with one public and one private subnet, with according security groups and an elastic IP with a NAT gateway
- Launch the instances, the reverse proxy in the public, the other server in the private subnet
- The NAT gateway connects the public and private subnet
I do not understand what I need the NAT gateway and EIP for in this scenario.
With a machine with an auto assigned public IP and a NIC in the private subnet this should work aswell shouldnt it?
What is your best practice to do this in AWS?
Best Answer
A NAT instance is only useful for allowing a private instance to initiate outbound connections to the internet.
What you are looking for is an AWS Application Load Balancer or AWS Elastic Load Balancer that lives in your public subnet. It would have public IPs. Your webserver would be attached to the load balancer, and the load balancer would proxy the traffic back to your instance.