I am planning to create a CI/CD configuration inside a VPC which involves AWS BeanStalk (Host Environment), GitHub (Code Repository), CodePipeline, Jenkins (Code Build). The application located in the GitHub repository is supposed to run inside the BeanStalk environment, while any change to the GitHub repo should be reflected from the frontend.
I created a VPC with 2 public and private subnets each. And I have provisioned a BeanStalk environment with NodeJS platform (the application is NodeJS). Then I am configuring the CodePipeline, in which Add Source stage, I have successfully managed to connect to the GitHub repo. Now, I am at the Code Build stage which I want to add a Jenkins which runs in an EC2 instance. Therefore I am provisioning an EC2 instance which I plan to install Jenkins and then mention it in the Code Build stage.
However, I am not sure which subnet the Jenkins EC2 instance should be. Public or private?
For more secure architecture host jenkins in a private subnet and setup AWS codepipeline to use VPC endpoints, With VPC endpoints, no public IP addresses are required and traffic between the VPC and CodePipeline does not leave the Amazon network.