AWS Single-AZ Web Architecture with Bastion

aws · architecture diagram.

Diagrams.so

About This Architecture

Single-AZ web architecture combining CloudFront CDN, WAF protection, and bastion host access pattern for secure AWS deployments. Users connect through CloudFront for static content delivery via S3, while WAF filters traffic before reaching the Internet Gateway. The bastion host in the public subnet provides secure SSH access to application servers in the private subnet, which communicate with RDS databases in an isolated data layer. This design demonstrates defense-in-depth with network segmentation across three subnets within a single availability zone. Fork and customize this diagram on Diagrams.so to adapt subnet sizing, instance types, or add multi-AZ redundancy for production workloads.

People also ask

How do I design a secure AWS web application with a bastion host and private database in a single availability zone?

This diagram shows a single-AZ AWS architecture where CloudFront and WAF protect inbound traffic, a bastion host in the public subnet provides secure administrative access, and application servers in a private subnet communicate with RDS databases in an isolated data subnet. This layered approach implements defense-in-depth and least-privilege access patterns.

AWS Single-AZ Web Architecture with Bastion

AWSintermediateVPCbastion-hostCloudFrontWAFRDS
Domain: Cloud AwsAudience: AWS solutions architects designing secure, single-AZ web applications
0 views0 favoritesPublic

Created by

April 6, 2026

Updated

April 6, 2026 at 8:18 PM

Type

architecture

Need a custom architecture diagram?

Describe your architecture in plain English and get a production-ready Draw.io diagram in seconds. Works for AWS, Azure, GCP, Kubernetes, and more.

Generate with AI