If you have a web-facing application, how do you make it visible internally, and ensure that traffic doesn't go over the Internet? This is sometimes a requirement for large companies that want to ensure that internal traffic is kept internal.
This is typically done with a load balancer in public subnets, and your application instances in private subnets. If you do that, you restrict direct access to those instances, but you might also want to remove access to the Internet from you application instances by not having a NAT Gateway. That way, you can then choose to reroute traffic initiated from the instances to the Internet via a central egress account.comments powered by Disqus