internet -- openvpn linux server  (pub IP && pri IP) -- windows 2008 web server (pri IP)
external -- firewall -- internal

obj: you want to use web, you need to connect to openvpn 1st and openvpn only provide certain service 
     (ex vpn only) and  it allow only certain IP ssh to it.

Q: real example is  working on 2 ec2 
A: 
  1. create 1 private IP pri-ec2 windows 2008 server  172.31.46.210 (no public IP)
  2. create 1 public  IP pub-ec2 windows 2008 server  54.249.25.250 172.31.33.9

  @pub-ec2 i can mstsc to pri-ec2, since 172.31.0.0/16 networking is OK