> For the complete documentation index, see [llms.txt](https://tutorial.specian.co.uk/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tutorial.specian.co.uk/devops/aws/security.md). # Security The database shouldn't be available on the internet. It should always be accessed via the API.\ This is the default configuration with Aurora, but this applies to any production database you'll run in the future. To achieve this, we will use Subnets within our VPC. ### VPC The VPC is the main container that contains everything for our app. If we had another app, it would be in another VPC. ![Always run different apps in their own VPCs to improve security.](/files/-LrJAWBcvy72okR_GOfA) ### Subnets Subnets are used to separate resources within a VPC. You can have subnets accessible from the internet (public) and subnets only accessible internally with rules (private). The rule are set using [Security Groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html). E.g `Resource A` can access `Resource B` on port `5432`. The database will be in a private subnet,\ We are going to accept traffic from the internet via a public subnet and send it to our API. ### IP address whitelisting When using a 3rd party, you should always have a [whitelist](https://en.wikipedia.org/wiki/Whitelisting) of IP addresses. This way, only the intended resources can access it. When building a scalable infrastructure, you need to be able to add and remove instances when needed. But this also means, the IP addresses of the instances are random and can change anytime. When using lambda, we simple don't have any IP address. How do we know which IP address to whitelist then? We could whitelist all the [AWS IP addresses](https://ip-ranges.amazonaws.com/ip-ranges.json). It's a start but that's not enough. The solution is to buy an [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) attached to an [Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html). Set the outbound traffic (such as request to 3rd parties) to go through the Internet Gateway and use its IP address. ### Network architecture ![](/files/-LrJJE-33BjvBEIQDpvC) {% hint style="info" %} More info: * [Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) * [How do I give internet access to my Lambda function in a VPC?](https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/) * [VPC and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#vpc-subnet-basics) {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://tutorial.specian.co.uk/devops/aws/security.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.