Am I wrong to think that a webserver's webpage is accessible through a corporate networks public IP?

Hello.

In order to publish a website via the corporate network, I think it is necessary to set up a proxy etc. within the corporate network so that it can access EC2.
I think the easiest way is to deploy ALB on AWS and target EC2 without going through the corporate network.
However, in this case, EC2 will publish the website through communication that does not go through the corporate network firewall.

To expose your website to the public, you need to place a load balancer in a public subnet.
We will specify EC2 as the ALB target.

So direct loadbalancer to the private subnet where webserver lives, or load balance to nat-gateway that is in public subnet?

Hello, I'd recommend that you take some considerations on the architecture and possible points of failure that you might create using the solution you mentioned. Correct me if I understood it wrong, but the architecture that you are proposing is something like this: Website accessible through Internet <> On-Premises <> S2S VPN <> AWS EC2 (private IP - Website hosting) In this architecture, if the VPN fails or your campus internet goes down, your website will be unaccessible too. You have to consider some limitations too, like S2S VPN throughput of 1.25GB and the link consumption of your on-premises internet. On the cost-optimization side, the mentioned architecture will incur costs of Data Transfer Out (DTO) from the EC2 VPC to your on-premise site. If your network provider also charge you on DTO, you will be paying this twice. If you publish the website using a architecture like this: IGW <> ALB (Public subnet) <> EC2 (Private subnet) You will have resources that can scale and handle traffic surges, without the bandwidth limitation of the S2S VPN.

Another detail, if it is a simple, static website, you can consider using S3 to host and publish it.