I have two basic setup for web application that reside behind ELB on Amazon Web Service.
Layout A:
+-----+
+---+ ELB +----+
| +-----+ |
| |
| |
+---v-----+ +-----v---+ +---------------+
| EC2/EIP | | EC2/EIP +----+----> | HTTP RESPONSE |
+---------+ +---------+ | +---------------+
|
| +------------------+
+----> | EXTERNAL WEBSITE |
| +------------------+
|
| +-----+
+----> | API |
+-----+
Layout B:
+-----+
+---+ ELB +----+
| +-----+ |
| |
| |
+--v--+ +--v--+ +-----+ +---------------+
| EC2 | | EC2 +--+ NAT +--+----> | HTTP RESPONSE |
+-----+ +-----+ +-----+ | +---------------+
|
| +------------------+
+----> | EXTERNAL WEBSITE |
| +------------------+
|
| +-----+
+----> | API |
+-----+
I believe both architecture have pros and cons:
Layout A:
- Does the web server send http response back to ELB? if it goes directly to user, will it gain performance response?
- If I limit outgoing traffic for Http port only on security group, is there still any security threat?
Layout B:
- is this design creating another layer of point of failure (NAT)?
- Will it work for Oauth communication?
- Can it work with 3rd party CI and Orchestration tools (jenkins, chef)?
Both design are working well, but which design is the best practise for infrastructure considering performance and security.
thanks
Aucun commentaire:
Enregistrer un commentaire