Security
Last updated
Was this helpful?
Last updated
Was this helpful?
The database shouldn't be available on the internet. It should always be accessed via the API. This is the default configuration with Aurora, but this applies to any production database you'll run in the future.
To achieve this, we will use Subnets within our VPC.
The VPC is the main container that contains everything for our app. If we had another app, it would be in another VPC.
Subnets are used to separate resources within a VPC. You can have subnets accessible from the internet (public) and subnets only accessible internally with rules (private).
The database will be in a private subnet, We are going to accept traffic from the internet via a public subnet and send it to our API.
When building a scalable infrastructure, you need to be able to add and remove instances when needed. But this also means, the IP addresses of the instances are random and can change anytime.
When using lambda, we simple don't have any IP address.
The rule are set using . E.g Resource A can access Resource B on port 5432.
When using a 3rd party, you should always have a of IP addresses. This way, only the intended resources can access it.
How do we know which IP address to whitelist then? We could whitelist all the . It's a start but that's not enough.
The solution is to buy an attached to an . Set the outbound traffic (such as request to 3rd parties) to go through the Internet Gateway and use its IP address.
