- 最新
- 投票最多
- 评论最多
Hi,
The best practice is to have your EC2 in the private subnets (not having public IP address). Depends on your case, you should:
- Have an ELB in front of it (ALB or NLB). It will help to expose only specific ports and increases your HA if you have more than one EC2 instances.
- Have CloudFront in from of it. It will help with caching and your instances is not accessible directly by the clients.
- Have access to it via VPN. If this instances serves only internal users, you can put it behind the VPN to increase security.
Of course, it's just recommendation and you can show what controls you set to mitigate different risks and acknowledge others.
Hi emman, any reason why you are using ec2 instance in the public subnet? What is your business scenario? As, according to best practice, also stated above Dmytro, you should have the ec2 instance in the private subnet and have it accessed through an ALB etc.
If you do not want any downtime, then you could create an AMI of your running ec2 instance and then start a new ec2 instance using this AMI in the private zone and then shift from public to private.
You have to create a snapshot of the EC2 and restore snapshot in a private subnet.
There is no way to remove the Public IP or move subnets with existing EC2s.
相关内容
AWS 官方已更新 1 年前
But the problem is I already have this EC2 Instance running in a public subnet with a public IP address. How is it possible to apply this solution to an already running instance, running in a public subnet with a public IP address?
Agreed with Dmytro. On your additional question: is the EC2 publicly via its IP address directly or via a DNS name. If you use DNS, you can create the new implementation with balancer while keeping the existing IP up & running. This address will receive requests for a few days after you switch the DNS record to the balancer IP. After this traffic to existing IP disappears, you can remove this initial IP.
As Didier said, if you are reaching your service by DNS name it's straight forward for zero-downtime migration. If you are using IP address directly, the only solution if you are using EIP for your public IP. In that case you can move it to the ELB.