{"id":27440,"date":"2025-02-27T22:17:46","date_gmt":"2025-02-27T21:17:46","guid":{"rendered":"https:\/\/blog.mi.hdm-stuttgart.de\/?p=27440"},"modified":"2025-02-27T22:18:33","modified_gmt":"2025-02-27T21:18:33","slug":"how-i-improved-the-network-security-of-my-live-chat-application-architecture-on-aws","status":"publish","type":"post","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2025\/02\/27\/how-i-improved-the-network-security-of-my-live-chat-application-architecture-on-aws\/","title":{"rendered":"How I Improved the Network Security of My Live Chat Application Architecture on AWS"},"content":{"rendered":"\n<p>In an increasingly connected world, the need for robust security measures for cloud infrastructures is constantly growing. Applications that are accessible over the internet must be secured in a way that prevents unnecessary exposure of sensitive backend components. A fully public Virtual Private Cloud (VPC) architecture may be sufficient for a quick start, but it comes with significant risks: Every service is potentially accessible from the outside, increasing the attack surface for potential threats.<\/p>\n\n\n\n<p>AWS provides best practices to mitigate these risks, including separating a subnet into public and private subnets [1]:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Public Subnets<\/strong>: For resources that need direct internet access, such as load balancers or bastion hosts. These subnets are connected via an Internet Gateway (IGW) and are secured using Security Groups and Network ACLs (NACLs).<\/li>\n\n\n\n<li><strong>Private Subnets<\/strong>: For internal components such as ECS tasks, databases, or backend services. These have no direct internet connection and use a NAT Gateway or NAT Instance to enable outbound access to the internet. Access is strictly controlled using whitelisting rules in Security Groups and NACLs for additional security.<\/li>\n<\/ul>\n\n\n\n<p>In this blog post, I will explain how I gradually restructured my existing, fully public AWS network architecture. The goal was to create a secure setup that combines public and private subnets to better protect internal systems from unwanted access. I will discuss the motivation behind this change, describe the initial state of the architecture, and explain the specific modifications I implemented to make my live chat application more secure and future-proof. n<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Current State<\/h2>\n\n\n\n<p>Currently, my live chat application is based on a simple but poorly secured network architecture (Figure 1): All resources are within a Virtual Private Cloud (VPC) and operate exclusively in a public subnet. The Application Load Balancer (ALB) is directly connected to the internet and routes incoming requests to my ECS Fargate service, which also runs in this public subnet.<\/p>\n\n\n\n<p>This setup enables a quick and easy deployment but presents several security risks. Since the entire application runs in a public subnet, all components can communicate directly with the internet. While this simplifies access and communication, it also creates a major vulnerability. Potentially sensitive backend components are exposed and thus vulnerable to attack.<\/p>\n\n\n\n<p>At the moment to regulate incoming traffic, I use a security group that allows only necessary ports, such as port 3000 for the live chat service and port 80 for the ALB. However, these ports are currently open to all public traffic. In addition, IAM roles and policies ensure that ECS tasks run correctly and that CloudFront can access S3 content to serve static files. Despite these measures, the backend remains unnecessarily exposed.<\/p>\n\n\n\n<p>With the upcoming transition to a new architecture, I aim to address this weakness. By separating public and private subnets, internal services can be shielded from direct external access, allowing only necessary traffic through public interfaces. This will significantly improve the security architecture of my live chat application, creating a clearer structure: A public frontend remains accessible, while backend components like AWS Fargate reside in more secure private subnets.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdjw5PZgWGBeSo5NsdtuIoBS6jatOkErIRqv2Y8bS0eDz8g0P_0f-JZEm6pHQ0HI-rHoOBk_uO-sfmdEZoVdwvwqs5Qe1DuO6B2nvN2S8oA4TAmbECetTTCt0hVozIlGRLX7Vb9?key=qc56uw1jVzgYexseKjzgGIxX\" alt=\"\" \/><figcaption class=\"wp-element-caption\">Figure 1: Old Architecture<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">New Architecture<\/h2>\n\n\n\n<p>To close these security gaps, I implemented a new structure that separates public and private subnets (Figure 2):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Load Balancer in Public Subnets<\/strong>: The ALB remains in the public subnets and continues to be accessible via an Internet Gateway. These subnets are configured to automatically assign public IP addresses to instances.<\/li>\n\n\n\n<li><strong>Backend Services in Private Subnets<\/strong>: The ECS tasks running my backend now operate in private subnets, which have no direct internet access. They can only initiate outbound traffic via a NAT Gateway, for example, for updates or external API calls. Incoming traffic reaches the backend exclusively through the ALB.<\/li>\n\n\n\n<li><strong>Targeted Access Control with Security Groups<\/strong>: A Security Group for the ALB allows inbound traffic on ports 80 and 443. The Security Group for ECS tasks only accepts connections from the ALB, ensuring that direct access from the internet is blocked.<\/li>\n\n\n\n<li><strong>Routing and NAT Gateway<\/strong>: Public subnets route their internet traffic through the Internet Gateway, while private subnets send outbound traffic through a NAT Gateway located in a public subnet. This setup allows private services to access the internet without being directly reachable themselves.<\/li>\n<\/ul>\n\n\n\n<p>An additional optional step to enhance security is implementing an AWS Web Application Firewall (WAF) in front of the Load Balancer. The WAF helps defend against Layer-7 attacks, enforce IP rules, and set rate limits.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXe7C1yGuo2en4pr4QagtYY28cgJmUsruvzjp-ps9CH5mD7-4k1lv3AkYB_atXpQ0y5LBJ6VYyu4AuvgjKzWzV6kkEecEbnk--9kQYFrdeCxR7Podra-XunG52A-8AZZStcZVRV3?key=qc56uw1jVzgYexseKjzgGIxX\" alt=\"\" \/><figcaption class=\"wp-element-caption\">Figure 2: New Architecture<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>By transitioning to a combination of public and private subnets, I have significantly increased the security of my live chat application:<\/p>\n\n\n\n<p>\u2705 Backend services are no longer directly accessible<br>\u2705 Reduced attack surface<br>\u2705 Better separation between public and internal components<br>\u2705 Targeted control over network traffic<\/p>\n\n\n\n<p>With these adjustments, my infrastructure is now far more resilient to potential attacks and better prepared for the future.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Literatur<\/h2>\n\n\n\n<p>[1] <a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/vpc-security-best-practices.html\">https:\/\/docs.aws.amazon.com\/vpc\/latest\/userguide\/vpc-security-best-practices.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In an increasingly connected world, the need for robust security measures for cloud infrastructures is constantly growing. Applications that are accessible over the internet must be secured in a way that prevents unnecessary exposure of sensitive backend components. A fully public Virtual Private Cloud (VPC) architecture may be sufficient for a quick start, but it [&hellip;]<\/p>\n","protected":false},"author":1254,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[120,2],"tags":[84,7,419,424,575],"ppma_author":[1090],"class_list":["post-27440","post","type-post","status-publish","format-standard","hentry","category-cloud-technologies","category-system-engineering","tag-aws","tag-cloud","tag-load-testing","tag-system-engineering-and-management","tag-websocket"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":22151,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2022\/02\/22\/designing-and-implementing-a-scalable-web-application\/","url_meta":{"origin":27440,"position":0},"title":"Designing the framework for a scalable CI\/CD supported web application","author":"Danial Eshete","date":"22. February 2022","format":false,"excerpt":"Documentation of our approaches to the project, our experiences and finally the lessons we learned. The development team approaches the project with little knowledge of cloud services and infrastructure. Furthermore, no one has significant experience with containers and\/or containerized applications. However, the team is well experienced in web development and\u2026","rel":"","context":"In &quot;Allgemein&quot;","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2022\/02\/Design_Desktop_Logged_In-3-150x150.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2022\/02\/Design_Desktop_Logged_In-3-150x150.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2022\/02\/Design_Desktop_Logged_In-3-150x150.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2022\/02\/Design_Desktop_Logged_In-3-150x150.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2022\/02\/Design_Desktop_Logged_In-3-150x150.jpg?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2022\/02\/Design_Desktop_Logged_In-3-150x150.jpg?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":24051,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2023\/02\/27\/fog-computing-solving-the-limitations-of-cloud-and-edge-computing\/","url_meta":{"origin":27440,"position":1},"title":"Fog Computing: Solving the limitations of Cloud and Edge Computing","author":"Andreas Nicklaus","date":"27. February 2023","format":false,"excerpt":"Fog computing offers a compromise between cloud and edge computing for real-time, scalable data analysis. Ideal for regional applications and IoT. However, authentication and privacy issues must be addressed.","rel":"","context":"In &quot;Allgemein&quot;","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2023\/08\/edge-computing-diagram-1024x512.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2023\/08\/edge-computing-diagram-1024x512.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2023\/08\/edge-computing-diagram-1024x512.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2023\/08\/edge-computing-diagram-1024x512.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":28282,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2026\/02\/22\/building-a-cloud-native-web-application-for-case-based-file-sharing-on-aws\/","url_meta":{"origin":27440,"position":2},"title":"Developing a cloud-native web application for case-based file sharing on AWS","author":"Philipp Treupel","date":"22. February 2026","format":false,"excerpt":"Motivation Professional file sharing is a significant challenge in sectors such as healthcare, insurance, and consulting. Practitioners routinely need to exchange sensitive documents with clients, yet existing solutions such as Google Drive and OneDrive can quickly become disorganized when managing multiple cases. Users struggle with scattered links, having to manually\u2026","rel":"","context":"In &quot;Cloud Technologies&quot;","block_context":{"text":"Cloud Technologies","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/cloud-technologies\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2026\/02\/user-journey-essencis-en.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2026\/02\/user-journey-essencis-en.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2026\/02\/user-journey-essencis-en.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2026\/02\/user-journey-essencis-en.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2026\/02\/user-journey-essencis-en.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2026\/02\/user-journey-essencis-en.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":27618,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2025\/02\/28\/crowdconnect-developing-a-scalable-live-chat-application-with-aws-cloud-services\/","url_meta":{"origin":27440,"position":3},"title":"CrowdConnect &#8211; Developing a Scalable Live Chat Application with AWS Cloud Services","author":"Jannik Scheider","date":"28. February 2025","format":false,"excerpt":"Imagine you're developing a live chat application in the cloud that needs to serve a growing number of users simultaneously and in real time across multiple chat rooms. Sounds like a challenge? It is. But with proven approaches and valuable insights from real-world experience, this task can be successfully and\u2026","rel":"","context":"In &quot;Cloud Technologies&quot;","block_context":{"text":"Cloud Technologies","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/cloud-technologies\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/02\/image-14.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/02\/image-14.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/02\/image-14.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":12032,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2020\/09\/30\/admin-panel-web-app-in-der-aws-cloud\/","url_meta":{"origin":27440,"position":4},"title":"Admin Panel (Web App) in der AWS Cloud","author":"ss447","date":"30. September 2020","format":false,"excerpt":"1. Einleitung Im Rahmen der Vorlesung \u201eSoftware Development for Cloud Computing\u201c haben wir uns als Gruppe dazu entschieden aufbauend auf teilweise bereits vorhandener Codebasis an einem Startup-Projekt weiterzuarbeiten. Der Hauptfokus lag bei uns auf dem Ausbau von DevOps-Aspekten und auf dem eines stabilen und sicheren Systems, welches auch in der\u2026","rel":"","context":"In &quot;Cloud Technologies&quot;","block_context":{"text":"Cloud Technologies","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/cloud-technologies\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/qw9ZkWnvR4M\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":27142,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2025\/02\/27\/entwicklung-eines-skalierbaren-file-share-services-mit-aws\/","url_meta":{"origin":27440,"position":5},"title":"Entwicklung eines skalierbaren File-Share-Services mit AWS","author":"Max Tyrchan","date":"27. February 2025","format":false,"excerpt":"tl;dr: Unser Semester-Projekt bestand im Aufbau einer skalierbaren File-Share-L\u00f6sung auf AWS auf Basis von NextCloud. Unsere Motivation bestand darin die volle Kontrolle \u00fcber die eigenen Daten zu erlangen, individuelle Anpassbarkeit zu erm\u00f6glichen und eine Kosteneffizienz zu erreichen. Es wurden klare Ziele in den Bereichen Verf\u00fcgbarkeit, Performanz, Sicherheit und Skalierbarkeit definiert,\u2026","rel":"","context":"In &quot;System Engineering&quot;","block_context":{"text":"System Engineering","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/system-engineering\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/02\/logo_nextcloud_blue-2.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/02\/logo_nextcloud_blue-2.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/02\/logo_nextcloud_blue-2.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/02\/logo_nextcloud_blue-2.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2025\/02\/logo_nextcloud_blue-2.png?resize=1050%2C600&ssl=1 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"authors":[{"term_id":1090,"user_id":1254,"is_guest":0,"slug":"jannik_scheider","display_name":"Jannik Scheider","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/2299342013a9b19a47913cf7ea2b0b47ac6572b985f9e7397c5e9f7b3779080a?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/27440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/users\/1254"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/comments?post=27440"}],"version-history":[{"count":2,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/27440\/revisions"}],"predecessor-version":[{"id":27445,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/27440\/revisions\/27445"}],"wp:attachment":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/media?parent=27440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/categories?post=27440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/tags?post=27440"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/ppma_author?post=27440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}