π AWS VPC Architecture for Production EC2 App with CloudFront, WAF, and ALB
This document outlines a production-ready AWS VPC network design for deploying a secure, scalable application backend on EC2 in the ap-south-1 (Mumbai) region. The stack includes:
- π₯οΈ EC2 (Go Application)
- π ALB (Application Load Balancer)
- π WAF (Web Application Firewall)
- π CloudFront (Edge CDN)
- π NAT Gateways (1 per AZ)
- πΆ Public & Private Subnet Segmentation
π Key Architecture Objectives
- Multi-AZ fault tolerance
- Edge security with AWS WAF (via CloudFront)
- Secure, private EC2 backend
- Scalable, high-availability NAT
- Future-ready for RDS/ElastiCache deployments
π VPC Design Summary
| Component | Count | Description |
|---|---|---|
| VPC | 1 | 10.0.0.0/16 |
| Subnets | 9 | 3 AZs Γ (Public + Private App + Private Data) |
| NAT Gateways | 3 | 1 per AZ for AZ-local egress routing |
| Route Tables | 5β6 | Split per subnet type and AZ |
| Internet Gateway | 1 | For public subnet internet access |
| EC2 | N | Go app, deployed in private app subnets |
| ALB | 1 | Public subnets, exposed via CloudFront |
| CloudFront | 1 | Global CDN + TLS offload |
| WAF | 1 | Attached to CloudFront |
𧱠Subnet Layout
| Subnet Type | ap-south-1a | ap-south-1b | ap-south-1c |
|---|---|---|---|
| Public Subnet | 10.0.1.0/24 | 10.0.2.0/24 | 10.0.3.0/24 |
| Private App | 10.0.11.0/24 | 10.0.12.0/24 | 10.0.13.0/24 |
| Private Data | 10.0.21.0/24 | 10.0.22.0/24 | 10.0.23.0/24 |
π§ Topology Diagram (Simplified)
βββββββββββββββββββ
β Internet β
βββββββββ¬ββββββββββ
β
βββββββββΌββββββββββ
β Internet Gatewayβ
βββββββββ¬ββββββββββ
β
[ Clients / Browsers ]
β
βββββββββββββββ
β CloudFront β
β + WAF β
ββββββ¬βββββββββ
β
βββββββΌβββββββ
β ALB β
ββββββ¬ββββββββ
ββββββββββββββββΌββββββββββββββββββ
β β β
βββββββββΌβββββββββββββββΌβββββββββββββββββΌβββββββ
β Private App ββ Private App ββ Private App β
β Subnet 1a ββ Subnet 1b ββ Subnet 1c β
ββββββββ¬ββββββββββββββββ¬ββββββββββββββββ¬ββββββββ
β β β
βββββββββΌββββββββββββββββΌββββββββββββββββΌββββββββ
β NAT Gateway ββ NAT Gateway ββ NAT Gateway β
β (Public 1a) ββ (Public 1b) ββ (Public 1c) β
βββββββββββββββββββββββββββββββββββββββββββββββββπ Security Considerations
- WAF: Deployed on CloudFront for global edge protection
- SGs: EC2 only accepts traffic from ALB SG
- Public subnets: Only ALB and NAT Gateways reside here
- Private subnets: EC2 and future data services (e.g., RDS)
- No direct internet access to EC2; only via NAT
π¦ Route Tables
| Route Table | Routes |
|---|---|
| Public RT | 0.0.0.0/0 β Internet Gateway |
| Private App RT (x3) | 0.0.0.0/0 β NAT Gateway (local AZ) |
| Private Data RT (x3) | Local only (no internet) |
π DNS + TLS
- Route53 record
app.example.comβ CloudFront distribution - ACM certificate in
us-east-1for CloudFront (required) - Optional TLS cert in ALB (for origin verification)
π¦ Optional Modules for Extension
- π Bastion Host in Public Subnet for SSH (restricted by SG)
- π NACLs for enhanced subnet-level filtering
- π§ͺ Flow Logs for auditing and compliance
- π CloudWatch + VPC Flow Logs for visibility
β Deployment Notes
- Terraform modules highly recommended for reproducibility
- Place EC2 instances in private subnets across all 3 AZs
- Disable caching in CloudFront if backend is fully dynamic
π References
- AWS VPC Best Practices (opens in a new tab)
- CloudFront and WAF Integration (opens in a new tab)
- NAT Gateway Docs (opens in a new tab)