chrismalan (38) [Avatar] Offline
If one wants a database in one subnet and the application in the other, one has to have the two subnets in different availability zones. One should not accept the default choice of 'any availability zone' or words to that effect. They will be created in the same availability zone. That will prevent a database being created in one and the application in the other. Explicitly choose different availability zones.

Also, before starting with the wizard one should be sure to have an Elastic IP Address. You will be asked for this during creation.
David Clinton (73) [Avatar] Offline
You have a very good point. Still, I may be wrong, but I believe there isn't much of a design weakness with having a single DB instance in the same availability zone as a single compute instance - as long as they're in separate (public and private) subnets. Access will be controlled and, since there is only one instance of each, you don't get high availability in any case. Where multiple subnets are critical is where you've got resource replication...which I discuss a bit later in the chapter.

Good catch on the Elastic IP.
chrismalan (38) [Avatar] Offline
Hi David, Amazon won't let you create the database from the console if your two subnets are in the same availability zone. In their documentation, they tell you to create a third subnet in a different zone. I don't know about the CLI.

A NAT gateway created from an elastic IP address is very expensive. 4.5c US/hr/. I'm going to create a T2Micro NAT instance. It's not good for big downloads from a site, but I don't have that. It's about 1/3 of the price. Here are two links showing how to do it: and
David Clinton (73) [Avatar] Offline
Are you sure you need a NAT gateway? In the old days (i.e., a year or so back, before NAT instances existed), you could usually connect to resources within private availability zones through clever use of security group policies, bastion hosts, or VPNs. What are you trying to do?
chrismalan (38) [Avatar] Offline
Hi David, No, you don't need a NAT gateway. However, the wizard automatically creates it for you. I've deleted mine and removed it from the relevant routing table and everything works fine. To mysql into the database from a terminal window, I have to ssh into the EC2 instance running in the public subnet and from there mysql into the database. It doesn't work from my computer even though RDS is set to be publicly accessible. I might as well set it to not publicly accessible.

What I'm trying to do, and have done by now, is the web application in the EC2 instance in the public subnet and the database in the RDS instance in the private subnet. Works fine. You can look at it at So far, it's empty. Just the main images get picked randomly from the database - about 32 of them. The redirecting from http to https was a bit of a hassle. I'm sure it won't persist in newly created instances created to cater for heavier usage. The file is newly created with every restart. Even an ami from the changed EC2 instance didn't do it. But for now, it works fine.

I don't know what to call this automatic creation of an expensive NAT gateway in the wizard. 'Honest' is definitely not a candidate. However, it can be deleted, as I've done.
David Clinton (73) [Avatar] Offline
Yikes. I think this business of automatically creating a NAT instance (and m1.small, no less) is relatively new. They do mention it on the Wizard page, but it's strange...why funnel all users into such an expensive option? I'll have to add a note to the chapter.
Your site looks good and you're obviously working steadily through the technical issues you're facing. Are you using Apache to handle your certificates? Perhaps you could load updated cert and config files from an S3 bucket...
chrismalan (38) [Avatar] Offline
Hi David, Amazon gouges one with the NAT gateway, but then they give certificates away free. One attaches the certificate to the load balancer. It's really easy. My site is a Grails (don't know if you've ever heard of it) site. It's really Java. So, it's Apache -> Tomcat -> the application. Sounds slow, but the site is really quite fast. Once there's data in it, the Ajax queries return results very fast. Elastic Beanstalk recreates a file, /etc/httpd/conf.d/elasticbeanstalk/00_application.conf every time the app server is restarted. It's an Apache file. One adds only four lines to it. But they are lost with restarts. These are the first few lines containing all the additional lines:
# Elastic Beanstalk Managed
LoadModule rewrite_module modules/
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule . https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

Sooner or later I'll find out what's needed to make the changes persistent.
David Clinton (73) [Avatar] Offline
It may be possible to script the changes you need through Beanstalk using ebextensions Or perhaps through a plain old Bash script (invoking sed and/or awk).
Looks like an excellent project - if only for the tremendous skills you're learning!
chrismalan (38) [Avatar] Offline
Hi David, Thanks for this. The .ebextensions was the way to go. Now it works.
chrismalan (38) [Avatar] Offline
Hi David,
This http to https redirection is really easy once one knows how to do it. The right information spans many pages. Finding that is not so easy. I created a small 'how-to' at
David Clinton (73) [Avatar] Offline
I'll bookmark that how-to.