> I am looking at running two instances to separate the db and the web server. Is it critical to set up some kind of VPN/tunnel for them to talk, or just set the security settings based on IP address?

From my experience, you don't need a VPN. Something like what this article mentions should work just fine: http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-...

For backups, you should set up your database on an EBS volume and you can then run a cron script to take snapshots on a regular basis. Could be hourly even, because it freezes the database instantly and allows it to continue operating with minimal delay. I have a 2 GB database that I snapshot in under a second. This is the ultimate article on using MySQL on EC2: http://developer.amazonwebservices.com/connect/entry.jspa?ex...

I did a two server setup on Amazon, and it was nice because you can scale up the web and db servers separately, depending on where the load is. It's also a lot easier to debug system related issues because you've already narrowed down half the possible search space. Make sure CloudWatch is enabled, because that's invaluable. I scaled up to an extra large web server and extra large high-cpu database server, and that handled up to roughly 600 req/sec for my PHP app.

For security, I'm not an expert so I can't give much advice here, but EC2 at least does a good job of restricting access on all ports by default. When you set up your servers, make sure to punch a hole in your security group for port 3306 so that MySQL can connect between the two.

I'd recommend you don't start with EC2, it's too expensive for what you get. Go to Linode or even a VPS provider. Look for the least expensive thing you can use while still operating.

Second, use something like Chef to define your operational environments so that later if you do need to move to something else you've already got the automation to do it with as little effort as possible.

I can see EC2 gets expensive for larger instances, but the micro instances make the economics more favourable. FWIW this is a low bandwidth app as well.

For testing I can spin the server up and down as I need and literally pay per-hour (+ the storage cost). As far as I can tell providers like Linode don't provide that level of flexibility.

Thanks for the suggestions about Chef (http://wiki.opscode.com/display/chef/Home) I hadn't come across it before.

If you are using EC2, expect your instances to randomly disappear and possibly not come back. I'd have a warm standby for your database and definitely have backups using either s3 or EBS. As someone else mentioned, you may be better off starting with linode or <insert favorite VPS company> and as you grow start planning on moving to ec2 if needed

I run a similar setup on the Rackspace Cloud (1 DB + 1 Web) for multiple sites. I use iptables to lock down all non-essential ports, I setup MySQL to accept connections over the private IP and, frankly, that's it. (FWIW, I use Moonshine on my Rails app to keep the config easy/repeatable.)