By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CDK design Encapsulation and Dependencies

0

This is a more of a design guideline question on CDK:

I have 2 separate Stacks for 2 different VPC. I need these VPCs to talk to each other. A lambda attached to VPC1 needs to call a resource in VPC2

In VPC1-Stack I have a peering connection to VPC2 In VPC2-Stack I have a SecurityGroup to allow incoming connection from the Lambda attached to VPC1

Its a headache when I have to make changes to either of the stacks. This is a kind of a circular dependency. At times I have had to destroy everything and redeploy.

VPC2 has my "Server / Service" and VPC1 has my "Client" so it seems counter-intuitive that the Server has dependency on the Client - or is that not the right way to think about this?

Am I condemned to suffer this circular dependency or the design Gods can offer some redemption with a better design?

  • Nathan Sutcliffe
    2 years ago

    Can you break the cycle by moving the Security Group to the same stack as the Lambda function?

  • AWS-User-7657011
    2 years ago

    Yes, I can do that. I can add ingress rule for lambda SG to the VPC2 SG. That would mean I change the SG of VPC2 from outside of VPC2 Stack - does that not break encapsulation or is it not the right way to think about this

Topics
Management & Governance
Tags
Product DesignAWS CloudFormation
Language
English
AWS-User-7657011
asked 2 years ago300 views
1 Answer
1

My understanding is the reference of VPC1's security group in VPC2 caused a dependency.

One way you can consider, to create encapsulation is to utilize VPC endpoint / AWS PrivateLink. You can expose the VPC2 services through PrivateLink and access the services in VPC1 and other VPCs through interface endpoint.

That way VPC1 and VPC2 would be completely independent and VPC2 has no reference of constructs in VPC1.

Jason_S
answered 2 years ago
  • AWS-User-7657011
    2 years ago

    Hi Jason_S

    Thanks for the answer

    Is it better design (and even possible) that in VPC1-stack I change VPC2's security group to allow connection from VPC1's Lambda? That way I break the circular dependency

    My VPC2 has an MSK cluster and my client is in VPC1.

    One way to think about this is: it makes sense that clients (VPC1 lambda) do the changes to the SG that they need to connect to the service. The service should not know about its clients but the clients should know about the service they need to consume - in terms of responsibility

    Another way to think about this is that if we allow clients to amend the SG of the MSK cluster, it probably breaks security? And what if VPC2-stack is rerun, would it remove the ingress rule? perhaps not

    Would love to hear your thoughts

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content