Private Service, Private Network

A private service is generally used for important internal business services that need to be protected from direct access by the public:

  • Cache service such as Redis
  • Internal API that provides a thin wrapper around a database
  • Billing, password and authentication, or other similar service that has personally identifying information.

A private service’s architecture looks like this:

private subnet private lb

Just as in the previous architecture this design has Amazon Virtual Private Cloud (VPC) with two subnets:

  • Public subnet: Has an attached internet gateway to allow resources launched in that subnet to accept connections from the internet, and initiate connections to the internet. Resources in this subnet have public IP addresses. In this design there is a public facing service, perhaps an API gateway. End users are able to initiate a blue connection through the internet gateway and public facing load balancer, to the API gateway container.
  • Private subnet: For internal resources. Instances in this subnet have no direct internet access, and only have private IP addresses that are internal to the VPC, not directly accessible by the public. This is where the private service is running. The private tier of the application stack has its own private load balancer which is not accessible to the public. The API gateway service is able to initiate a green connection to the private load balancer in order to reach the private service, but the public can not.

Deploy in an self managed EC2 cluster

Use these templates:
Launch a custom EC2 cluster in a private VPC with a NAT gateway Launch Download
Add an private, internal ALB ingress Launch Download
Deploy a private EC2 service Launch Download

Deploy in AWS Fargate

Use these templates:
Launch an AWS Fargate cluster in a private VPC with a NAT gateway Launch Download
Add an private, internal ALB ingress Launch Download
Deploy a private Fargate service Launch Download

The CloudFormation outputs for the ALB ingress template gives you a URL for the private service. This URL will only be accessible from another instance in the cluster. You can test it out by using AWS Cloud9 to launch a development instance in the VPC and make a curl request to the URL from that instance.