Security

The database shouldn't be available on the internet. It should always be accessed via the API. This is the default configuration with Aurora, but this applies to any production database you'll run in the future.

To achieve this, we will use Subnets within our VPC.

VPC

The VPC is the main container that contains everything for our app. If we had another app, it would be in another VPC.

Always run different apps in their own VPCs to improve security.

Subnets

Subnets are used to separate resources within a VPC. You can have subnets accessible from the internet (public) and subnets only accessible internally with rules (private).

The rule are set using Security Groups. E.g Resource A can access Resource B on port 5432.

The database will be in a private subnet, We are going to accept traffic from the internet via a public subnet and send it to our API.

IP address whitelisting

When using a 3rd party, you should always have a whitelist of IP addresses. This way, only the intended resources can access it.

When building a scalable infrastructure, you need to be able to add and remove instances when needed. But this also means, the IP addresses of the instances are random and can change anytime.

When using lambda, we simple don't have any IP address.

How do we know which IP address to whitelist then? We could whitelist all the AWS IP addresses. It's a start but that's not enough.

The solution is to buy an Elastic IP address attached to an Internet Gateway. Set the outbound traffic (such as request to 3rd parties) to go through the Internet Gateway and use its IP address.

Network architecture

More info:

PreviousServerlessNextCloudFormation

Last updated

Was this helpful?