Best way to expose your services

I have a client-server architecture where each client and the server is associated with an AWS account. What is the best way I can expose services from the Server account to the clients? Now each client connects to the server from lambda to lambda connections. Is exposing all the services through an AppSync is better? Are there any other ways more suitable?

Themen

Serverlos Frontend-Web & Mobile Anwendungsintegration Kalkulation Vernetzung & Bereitstellung von Inhalten AWS Framework mit guter Struktur

Tags

AWS AppSync AWS Lambda Vernetzung & Bereitstellung von Inhalten Sicherheit

Sprache

English

Jehan

gefragt vor 3 Monaten128 Aufrufe

1 Antwort

Neueste
Die meisten Stimmen
Die meisten Kommentare

There are a couple of ways to achieve this architecture. Depending on the level of access (security) required - in addition to your method.

You can peer the VPCs, but the security issue is, this will open up the entire VPC in the shared services (server) account. https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html

The second method, much easier and secure is using AWS Private-Link: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html

This method uses a NLB to front the application (Lambda in your case), and a VPC-Endpoint to route traffic privately from the consumer (client) account. '

I'd recommend setting up a POC for this, initially, then duplicating into a staging account.

KAS

beantwortet vor 3 Monaten

Jehan
vor 3 Monaten
Thank you very much for your answer. Can I know whether I can impose a subscription (Pro or Standard) mechanism in the server account? Clients should not be able to give any other client access to the services exposed in the server account by sharing any information other than a user account itself.
KAS
vor 3 Monaten
@Jehan, I may have not fully contextualized your request - for that I apologize. It sounds like, you're exposing a single "server" account, to many "client" accounts? The solution provided will work, your customer will have to secure the VPC-Endpoints through tight resource policies (vpc-e access policies, so only traffic from that account that cross that vpc-e). If you're looking for a subscription based approach, introducing the API G/W will be a much cleaner way to provide this (usage plans & API keys).

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html

Using with Private-Link / VPC-Es: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
KAS
vor 3 Monaten
Good developer documentation on implementing usage plans & API keys: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-usage-plans-with-console.html

Relevanter Inhalt

Wie kann ich den Fehler „You have exceeded the allowed number of AWS accounts.“ (Sie haben die zulässige Anzahl von AWS-Konten überschritten.) für AWS-Organisationen beheben?
AWS OFFICIALAktualisiert vor einem Jahr
Wie kann ich den Fehler „The security token included in the request is expired“ bei der Ausführung von Java-Anwendungen auf Amazon EC2 beheben?
AWS OFFICIALAktualisiert vor 2 Jahren
Warum erhalte ich die Fehlermeldung „You can only join an organization whose Seller of Record is same as your account", wenn ich versuche, einer Organisation beizutreten?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie behebe ich den Fehler „The specified queue does not exist or you do not have access to it.“, wenn ich einen AWS Glue Job ausführe, um Nachrichten an Amazon SQS in einer anderen Region zu senden?
AWS OFFICIALAktualisiert vor 3 Jahren