I would appreciate any help on the following scenario in AWS:
Instance 1 : I have a public subnet which has an internet facing web server. So basically an ec2 instance with a public ipv4 address and port 443 open to all. Instance 2 : I want to spin up an ec2 instance with a private ipv4 address in the same subnet and be able to communicate with the ec2 instance of the web sever.
Question: Is this communication possible?
What I have tried so far: I noticed that Instance 2 with a private ipv4 cannot communicate with Instance 1. But it can if it is has a public ipv4 address. As far as I know this is happening via the internet.
My original design: Instance 2 was spun up in its own private subnet and had its own security group to communicate with Instance 1 in its public subnet. Which is a better design in this scenario? Having them in the same public subnet or separate them out in public and private subnets?
Background: Instance 1 hosts a web server and Instance 2 is a worker. Workers are added on demand by the server.
CodePudding user response:
Instance 2 should be able to communicate with instance 1 in the same subnet without needing to have a public IP. Instance 1, even though a public EC2, should also have a private IP.
You should be able to communicate from instance 2 using that IP and it will not use the internet to communicate rather the private VPC network. Just make sure you open the port you are using to communicate in the security group of instance 2.
CodePudding user response:
All Amazon EC2 instances are assigned a private IP address and can communicate with other instances in the same VPC.
If you want the two instances to communicate, you will need to configure the security groups to allow communication. I would recommend:
- A security group on the web server (
Web-SG
) that permits Inbound access on port 80 from the anywhere (0.0.0.0/0
) and allows all Outbound access - A security group on the private instance (
Private-SG
) that allows all Outbound access - The private instance should communicate with the web server via its private IP address
Please note that if the private instance does not have a public IP address then you will not be able to connect to that instance (SSH/RDP). You could use AWS Systems Manager Session Manager to login, but that would also require either a public IP address or the use of a NAT Gateway (with the private instance launched in a private subnet).
Correct use of Security Groups can be just as secure as using a private subnets. You do not need to use private subnets to maintain security.