I'm getting out on a limb as far as my networking knowledge goes, but I believe you can put your enterprise geodatabase in a private subnet, and it should be able to talk with the all-in-one EC2 instance in the public subnet. Regarding costs, agree it would be great if esri could provide cost estimates per hour for typical cloudformation template configurations.