This diagram represents a production-level AWS VPC architecture, designed to be secure, scalable, and highly available across multiple availability zones. Here’s a breakdown of each component in the architecture:
Region: All resources are hosted within a single AWS region. Availability Zones (AZs): The setup spans across two Availability Zones (AZ-1 and AZ-2) for redundancy and high availability.
The VPC serves as an isolated network environment that includes both public and private subnets across the two availability zones.
Public subnets in each Availability Zone host resources that require internet access. These include: NAT Gateway: Allows instances in private subnets to access the internet for updates or other purposes while keeping them isolated from incoming internet traffic. Application Load Balancer (ALB): Distributes incoming traffic across servers located in the private subnets, improving load handling and enabling failover across multiple AZs.
Private subnets are used for internal resources that don’t need direct access to the internet. These subnets are more secure because they’re only accessible internally or through the load balancer. Servers (EC2 Instances): The application and database servers are hosted here. They handle backend processing and are protected from direct internet exposure by the security group. Auto Scaling Group: Automatically adds or removes EC2 instances in the private subnets based on traffic demand, ensuring high availability and cost-efficiency.
A Bastion Host is deployed in one of the public subnets (or optionally both for high availability). The Bastion Host is an EC2 instance with SSH access, which is used to securely connect to instances in the private subnets. This host provides a secure way to access private instances without exposing them to the internet. Only authorized IPs (like your office or home IP) should have SSH access to this Bastion Host.
The S3 gateway allows secure access to Amazon S3 for resources within the VPC. This is commonly used for instances in private subnets to access S3 buckets without requiring public internet access, often through VPC endpoints.
The ALB is responsible for routing incoming requests from the internet to instances in the private subnets. It’s set up in a public subnet but forwards requests only to internal instances in the private subnets.