I'm reading up on AWS VPCs and subnets and I have a few related scenarios I'm unsure about.
Say my app backend consists of:
public-servicepublic-service; we'll call these the private-services; I assume these would go in a private subnet since nothing from the outside world is communicating directly to themIt sounds like I need to create a public subnet that contains:
public-service and all the respective "stuff" that goes along with that (balancer listeners, balancer target groups, security groups, etc.); andpublic-service makes a call to a private-service, the response coming back from it can maintain a connection to the public-serviceIs my understanding here correct? Either way, what types of AWS resources are needed to allow public-service in a public subnet to talk to private-services in a private subnet? I've heard of "network ACLs" and wonder if they come into play here at all, or would it be accomplished via routes on a routing table?
the load balanced EC2 instances for the public-service and all the respective "stuff" that goes along with that (balancer listeners, balancer target groups, security groups, etc.);
Not really. Only the load balancer absolutely needs to be in the public subnet. Traffic between public and private subnets within the same VPC is entirely open by default. It's traffic between your VPC and the Internet that you need to be thinking about here, and that only happens at your load balancer.
a NAT gateway so that when the public-service makes a call to a private-service, the response coming back from it can maintain a connection to the public-service
No, that is not at all what a NAT gateway is used for. A NAT Gateway is not used at all for communication between public and private subnets. A NAT Gateway is only needed to allow things in private subnets to access the Internet. For example if your EC2 instance in a private subnet needed to download a file from the Internet, then that subnet would need a route to a NAT Gateway in order for that to work.