Current architecture places EC2 in a public subnet with direct internet exposure. Production workloads should follow a split-tier pattern.
Proposed changes:
- Add an Application Load Balancer (ALB) as the public ingress point
- Move EC2 instance(s) to private subnets
- ALB handles SSL termination via ACM (replacing certbot on EC2)
- Security groups updated: EC2 only accepts traffic from ALB, not internet
- Implement in both Terraform and CDK
Benefits:
- EC2 instances no longer directly reachable from the internet
- ALB enables future horizontal scaling (multiple EC2 targets)
- ACM-managed certs eliminate certbot renewal complexity on the instance
- Cleaner separation of concerns (networking vs. compute)
Current architecture places EC2 in a public subnet with direct internet exposure. Production workloads should follow a split-tier pattern.
Proposed changes:
Benefits: