The answer is Bastion Host . Create a VPC Create two subnets (they can be in same AZ or different) Name them public-subnet and private-subnet. Technically, both are private now. Linking them with an Internet Gateway via a Route table makes them public Associate a Route table with public-subnet with the following routes That means, if a request is made from an instance in this subnet to an IP in the CIDR range of 172.31.0.0/16, the traffic should be redirected to VPC's default route i.e., it is a complete local communication within VPC. If the request destination is Anywhere (0.0.0.0/0), the traffic should be redirected to the Internet Gateway. Now, the public-subnet is PUBLIC in all senses (as it is connected to Internet Gateway) Add Web servers (EC2 instances) in this public-subnet (recommended) Add a NAT Gateway in this public-subnet Associate a Route table with private-subnet with the following routes That means, if a request is made from an instance in this subnet to an IP in t...