Best practice put nginx + django in AWS subnet private?public?

  • I want to put the fargate container which contains django + nginx

    However what subnet should be used for?

    At first I put this in public subnet, of course it works well.

    However, is it possible to put this in private subnet with NAT gateway?

    If so, How can users access to the private subnet from outside?

    A few users(admin) need to access to this django, it doesn't need to get access from other users.

  • You would put it ideally into a private subnet behind an AWS Load balancer of some sort. The benefit of this is that any security issues in your nginx installation are offloaded to AWS, therefore are no longer your concern.

    Some detractions:

    • slightly more complex setup
    • minimum cost of ~25USD per month for load balancer (minimum cost of around 25USD per 25 client certificates if you terminate them on Application Load Balancer)

    People would access the nginx servers via a jump/ bastion hosts. Access to this host would probably be limited by IP address and/or VPN.

    The AWS provided NAT gateway does not allow inbound traffic, unless it was initiated by outbound traffic.

Suggested Topics