AWS Apache in Public and Tomcat in Private Subnets

I am going for a typical web application deployment in AWS using public and private subnets in my custom VPC. I have the below setup done already...

1) Public subnet with an ec2 instance running apache web server.

2) Private subnet with an ec2 instance running tomcat app server.

3) AWS RDS mysql instance is created with it's publicly accessible flag set to NO and is available only within our VPC.

4) NAT instance which also doubles up as bastion host for private ec2 instances.

4) With all my NACL and Security Group Setting the below is working fine.

• I am able to ssh to private ec2 instance from by public nat ec2 instance.

  Private ec2 instances are also able to connect to internet for updates.

  Private Tomcat server is able to access AWS RDS MySQL database.

  From my public web server I am able to send a curl HTTP POST request to private tomcat server and data is returned back.

Issue : We have our presentation layer deployed in Public Server within Apache and from the application when the same request is sent I am getting error in chrome -- net::ERR_CONNECTION_TIMED_OUT. In IE 11 I am getting --XMLHttpRequest: Network Error 0x80070005, Access is denied.

Things I have tried so far. Enabled access origin headers and allowed necessary headers , have set loglevel to debug in apache but I don't see any thing there. It looks like the request itself is not reaching the app server , it's confusing when the curl post request is going through how come the apache request is not going through ??

Please provide inputs to move forward. Thanks

Public Route
Destination Target Status Propogated
45.0.0.0/16 local Active No
0.0.0.0/0 IGW Active No

Private Route
Destination Target Status Propogated
45.0.0.0/16 local Active No
0.0.0.0/0 NAT ENI Active No

Public NACL Inbound
Rule# Type Protocol Port Range Source Allow/Deny
100 ALL ALL ALL ALL 0.0.0.0/0 ALLOW
110 HTTP* (8080) TCP (6) 8080 0.0.0.0/0 ALLOW

Public NACL Outbound
Rule# Type Protocol Port Range Destination Allow/Deny
100 ALL ALL ALL ALL 0.0.0.0/0 ALLOW
110 HTTP* (8080) TCP (6) 8080 0.0.0.0/0 ALLOW

Private NACL Inbound
Rule# Type Protocol Port Range Source Allow/Deny
100 ALL ALL ALL ALL 0.0.0.0/0 ALLOW
110 HTTP* (8080) TCP (6) 8080 0.0.0.0/0 ALLOW

Private NACL Outvbound
Rule# Type Protocol Port Range Destination Allow/Deny
100 ALL ALL ALL ALL 0.0.0.0/0 ALLOW
110 HTTP* (8080) TCP (6) 8080 0.0.0.0/0 ALLOW

App Server SG-Inbound
Type Protocol Port Range Source
HTTP* (8080) TCP (6) 8080 Web Server SG
HTTP* (8080) TCP (6) 8080 NAT Server SG
SSH (22) TCP (6) 22 NAT Server SG

App Server SG-Outbound
Type Protocol Port Range Destination
ALL ALL ALL 0.0.0.0/0

Web Server SG-Inbound
Type Protocol Port Range Source
HTTP (80) TCP (6) 80 0.0.0.0/0
SSH (22) TCP (6) 22 My laptop IP

Web Server SG-Outbound
Type Protocol Port Range Destination
HTTP* (8080) TCP (6) 80 App Server SG
ALL ALL ALL 0.0.0.0/0

At first you need to check your Security Group rules where HTTP and HTTPS added. After that check NACL inbound and outbound rules. Next Route table, because you have private and public subnet in your VPC.

ERR_CONNECTION_TIMED_OUT occurs when HTTP or HTTP protocol off from Security Group or NACL.