[jtchang]

Do you mean firewall and not VPN? VPN means something pretty specific.

Separate servers isn't necessarily bad. In fact it is a "best practice".

To get started if you wanted everything on one server:

  Web server with port 80 and 443 open (apache or nginx).
  Web server proxies to app server (unless you are on PHP)
  App server connects to database on specific port. Port is not exposed to outside world.

[taurenk]

Thank you for the tip- still a bit confused (and maybe mixing up terms). If I wanted to keep the DB and App server on separate servers, would i leave them out in the open or house them in a private network?

[v_ignatyev]

Remove Public IP for DB server. Keep them in one private network. You don't need VPN. Servers in any data-center are already connected into one network. You can use iptables to prevent external connections to your DB.

[rubyn00bie]

Generally use a private network for having your servers communicate with eachother. It also makes setting up IP Tables to lockdown access to your DB server much easier/intuitive.