multi vPC north-south API traffic

Question

Hi all

For design perspective,

Say i got vPC ABC and vPC XYZ in the same region, these 2 consider each other are external party to them.

Both vPC having their own micro services, services mesh for east-west traffic.  example vPC ABC doing the payment gateway, vPC XYZ doing accounting.

How to design vpc design, to handle these north-south API traffic? Native API gateway or third party API gateway both option considerable.  More on other design aspect like networking and LB also need to be include in the design factor.

Thanks

Noel

Antonio Lagrotteria · Answer

Answer is it depends :)

It depends on compliance, regulatory and company-specific requirements.

There are typical two models I have seen in my experience:
* A centralized approach, where another ingress VPC contains an API Gateway (AWS or 3th party as Kong, Axway, etc..) or Application Load Balancer. This is the central place for governance and controlling all internal APIs who want to become public and should handle DooS, WAF, etc.. Inspection may be needed: https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/. This entails a potential bottleneckness as central "governer" is responsible.
* A distributed approach where individual "Spoke" VPCs are allowed to expose APIs publicly. This may be a bit more complex but will probably ensure more team independence.

In both cases IaC and clear responsibilities are key.

Didier Durand · Answer

Hi, to get a broad perspective on all what is possible, I'd suggest you to read this very comprehensive wp detailling all what's possible:

https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf

Hope it helps!

Didier

multi vPC north-south API traffic

Add your answer

Relevant content