These days if you have low traffic you can run everything on one box, but separating them is more "best practice," so if you've already done that, congratulations!
The database should not be on a public network or have a public IP address, so that only the REST app can reach it. (In fact if it were all on a single box, you'd want the db to bind only to 127.0.0.1.)
Assuming the web pages will contact the REST app via Ajax, the REST app will need a public IP and should accept connections from anywhere. But if it's the web server that hits the REST service, then as you say the REST service can be private like the database.
I think maybe you are saying "VPN" to mean what DO calls "Shared Private Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an encrypted tunnel that lets you pretend to be on a LAN even if you are remote, so that is maybe why some other replies are asking questions about that.
It sounds like you are doing great so far. Good luck with the rest! :-)
The database should not be on a public network or have a public IP address, so that only the REST app can reach it. (In fact if it were all on a single box, you'd want the db to bind only to 127.0.0.1.)
Assuming the web pages will contact the REST app via Ajax, the REST app will need a public IP and should accept connections from anywhere. But if it's the web server that hits the REST service, then as you say the REST service can be private like the database.
I think maybe you are saying "VPN" to mean what DO calls "Shared Private Networking" and AWS calls "VPC". Is that right? To most people "VPN" means an encrypted tunnel that lets you pretend to be on a LAN even if you are remote, so that is maybe why some other replies are asking questions about that.
It sounds like you are doing great so far. Good luck with the rest! :-)