A Subtle Soliloquy on a Basic Diagram for a Fairly Secure Service

In a hands-on session, I have completed a basic design that illustrates an AWS Cloud with a Virtual Private Cloud in its second (inner) layer which houses an organization’s private environment.

The organization is big on availability and has gone on to replicate its services in two availability zones. Each of which has a private and public Subnet.

The public Subnet maintains the company's web server(s) (sitting behind a load balancer) reachable from the internet. Closely identical to the public Subnet is the private Subnet restrictively holding the company's internal servers (which may run its database) and has been designed for resilience. The internal server instance has been made further secure with the desired set of Security Group rules for accessing data applied to it.

While the resources in the public Subnet are able to communicate directly with the internet using the Internet Gateway, the Private Subnet is only able to reach the internet using the Network Address Translator (which resides within the public Subnet).

In general, every resource in a VPC is able to communicate with each other, however, the Route Table here ensures that the desired communication route is tunneled as needed.

In all of these, should the company have a need to make use of the S3 bucket service, such communication has to go out to the internet (and through a NAT gateway if the traffic originates from a private Subnet). This is because the S3 solution is offered by AWS and is publicly accessible on the internet.?

Mumbles his way to sleep: “Infrastructure diagrams are generic and not constrained to a particular provider.”