Home > Storage > PowerFlex > White Papers > Dell APEX Block Storage for AWS: MongoDB using Kubernetes and PowerFlex CSI > Network architecture
The following figure shows the network architecture for a two-layer Dell APEX Block Storage for AWS deployed across multiple AZs in a single AWS region:
The above figure shows the logical separation for an Amazon EC2 instance network to enable access to private and public subnets. An Amazon VPC is created in a region across three AZs. In each AZ, private and public subnets are created. A security group is also created to enable or customize inbound and outbound traffic rules. For Internet access, a NAT gateway is configured to allow and route traffic from the EC2 instance using the router that is created in the VPC.
It is recommended to use public subnets for external-facing resources and private subnets for internal resources. The bastion host has access to private and public subnets. The entire cluster is accessed through a bastion host, while the instances running the database workload stay entirely in the private subnet.