Best way to expose your services

I have a client-server architecture where each client and the server is associated with an AWS account. What is the best way I can expose services from the Server account to the clients? Now each client connects to the server from lambda to lambda connections. Is exposing all the services through an AppSync is better? Are there any other ways more suitable?

Topics

Serverless Front-End Web & Mobile Application Integration Compute Networking & Content Delivery AWS Well-Architected Framework

Tags

AWS AppSync AWS Lambda Networking & Content Delivery Security

Language

English

Jehan

asked 2 months ago120 views

1 Answer

Newest
Most votes
Most comments

There are a couple of ways to achieve this architecture. Depending on the level of access (security) required - in addition to your method.

You can peer the VPCs, but the security issue is, this will open up the entire VPC in the shared services (server) account. https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html

The second method, much easier and secure is using AWS Private-Link: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html

This method uses a NLB to front the application (Lambda in your case), and a VPC-Endpoint to route traffic privately from the consumer (client) account. '

I'd recommend setting up a POC for this, initially, then duplicating into a staging account.

KAS

answered 2 months ago

Jehan
2 months ago
Thank you very much for your answer. Can I know whether I can impose a subscription (Pro or Standard) mechanism in the server account? Clients should not be able to give any other client access to the services exposed in the server account by sharing any information other than a user account itself.
KAS
2 months ago
@Jehan, I may have not fully contextualized your request - for that I apologize. It sounds like, you're exposing a single "server" account, to many "client" accounts? The solution provided will work, your customer will have to secure the VPC-Endpoints through tight resource policies (vpc-e access policies, so only traffic from that account that cross that vpc-e). If you're looking for a subscription based approach, introducing the API G/W will be a much cleaner way to provide this (usage plans & API keys).

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html

Using with Private-Link / VPC-Es: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
KAS
2 months ago
Good developer documentation on implementing usage plans & API keys: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-usage-plans-with-console.html

Relevant content

What is the best way to transfer the elastic disaster recovery replication servers/setup to a different region?
Pir
asked 3 months ago
Best way to expose files from EFS over HTTP(S)?
Pascal MARTIN
asked 2 years ago
What is the best way to solve this?
Mustafa Ahmed
asked a month ago
What is the best way to delete large data from S3 ?
Aditya
asked a month ago
What do I do if I receive the error "Your account is in an invalid state" when I try to access services through my AWS account?
AWS OFFICIALUpdated 4 years ago
What are the best practices to set up an email server on my EC2 Linux instance?
AWS OFFICIALUpdated 9 months ago
What are the best practices for using multiple Network Load Balancers with an endpoint service?
AWS OFFICIALUpdated a year ago
How do I expose the Kubernetes services running on my Amazon EKS cluster?
AWS OFFICIALUpdated 2 years ago
Reduce your security risk with AWS Trusted Advisor exposed access keys recommendation
EXPERT
AWS_Manas_S
published a year ago
Migrate Virtual Machines from VMware Cloud on AWS to EC2 with AWS Application Migration Service and the Agentless vCenter Client
EXPERT
Greg Vinton
published 3 days ago