Secure AWS VPC Architecture with Private MongoDB, Edge Protection, and Bastion-Only Access
TL;DR
- Edge protection using AWS WAF and AWS Shield.
- Request path: Amazon Route 53 → Amazon CloudFront → Application Load Balancer → Amazon EC2
- MongoDB on private EC2, no public exposure
- Bastion-only admin access.
- Backups to Amazon S3 via VPC Endpoint.
- Encryption at rest with AWS Key Management Service.
Project Overview
This architecture was designed for a production web application requiring strong security, controlled access, and reliable performance on AWS. The primary focus was isolating critical components, eliminating public exposure of the database, and enforcing a zero-trust access model while keeping the system highly available and globally performant.
Goals of the Architecture
- Isolate the database and internal services from the internet.
- Provide fast global content delivery.
- Enforce strict access control for administrators.
- Protect the application from common web threats.
- Enable safe backups, restores, and data migration.
- Maintain high availability with simple, manageable infrastructure.
High-Level Architecture
The system is deployed inside an Amazon VPC with public and private subnets. The application server resides in the public subnet behind an ALB, while the database server resides in a private subnet accessible only from the application layer and bastion host. Edge services handle DNS, CDN, and threat protection before traffic reaches the VPC.
Traffic Flow
User request flow
User → Route 53 → WAF/Shield → CloudFront → ALB → EC2 (App) → EC2 (MongoDB private)
Static content
CloudFront ↔ S3
Core Components
- DNS & CDN: Route 53, CloudFront
- Edge Security: AWS WAF, AWS Shield
- Compute: EC2 (Application), EC2 (MongoDB)
- Load Balancing: Application Load Balancer
- Storage & Backup: S3 with VPC Endpoint
- Encryption: AWS KMS
- Administrative Access: Bastion Host
Networking & Traffic Flow
The architecture uses a secure VPC design with public and private subnets:
- Public Subnet:
- Load Balancer
- Bastion Host
- Private Subnet:
- EKS Cluster
- Database
Data Layer & Persistence Design
MongoDB is hosted on a private EC2 instance with only private IP access. Security groups allow connections strictly from the application server and bastion host. Backups are stored in S3 through a VPC endpoint, ensuring backup traffic never traverses the public internet. Encryption at rest is enforced using KMS
Security Design
- Database in private subnet (no public IP).
- Bastion host for controlled SSH access.
- WAF rules for DDoS, SQLi, and XSS protection.
- Shield for additional edge DDoS resilience.
- Tight security groups between tiers.
- Encrypted storage and backup workflows.
- Zero-trust network access principles.
CI/CD & Deployment Strategy
Application updates are deployed to EC2 instances behind the ALB with controlled restarts to avoid downtime. Administrative access for deployments and database maintenance is performed via the bastion host. Backup and restore procedures are scripted and validated to ensure data integrity during releases and migrations.
Key Learnings
- Proper subnet design drastically improves security posture.
- CDN can accelerate even dynamic workloads when configured correctly.
- Bastion-based access is simple yet highly effective for sensitive environments
- VPC endpoints are critical for secure internal data movement.
- Layered security (Edge → Network → Host → Data) creates a resilient production system