[infra] Migrate EC2 instances to private subnets (security hardening)

[garciadias]

Overview

Rearchitect FLIP's VPC to place all application EC2 instances (Central Hub, Trust) in private subnets, with public load balancers (ALB/NLB) as the only internet-facing resources. This improves security posture by eliminating direct internet routes to application servers.

Tasks

• Design private subnet layout (10.0.101/24, 10.0.102/24 across AZs)
• Create/update route tables for private subnets (0.0.0.0/0 → NAT)
• Evaluate NAT Gateway HA: single vs. multi-AZ deployment
• Migrate Central Hub EC2 to private subnet
• Migrate Trust EC2 to private subnet
• Update security groups (ALB → EC2, ensure no direct IGW access)
• Verify RDS connectivity from private subnets
• Test health checks (ALB → EC2 still works)
• Update Terraform code and infrastructure docs

Acceptance Criteria

• Central Hub EC2 successfully moved to private subnet with correct security group rules
• Trust EC2 successfully moved to private subnet with correct security group rules
• All internet-bound outbound traffic from EC2 flows via NAT Gateway
• Security groups verified: no inbound from 0.0.0.0/0 to EC2 ports
• ALB health checks passing (target instances in private subnets)
• RDS connectivity verified from private subnets (5432 open)
• Terraform plan reviewed: no unintended resource deletions
• NAT Gateway(s) created/updated (single or multi-AZ per decision)
• Documentation updated with new VPC topology

Notes

• Coordinate with Issue [Feature]: Set up VPN connections between Central Hub and trusts #53 (Transit Gateway/VPN) for route propagation
• Consider NAT Gateway cost implications (HA = 2× cost)
• Existing single_nat_gateway = true may need review post-migration
• Depends on: [docs] Infrastructure changes and architecture diagrams #221 (Documentation issue)

[atriaybagur]

Will take this one.