AWS Architecture ‐ Single Region VPC Drill Down
Our application is hosted in 2 regions to make sure it's fail safe in case of any disasters. Primary region for handling our business is North Virginia (us-east-1) and the backup region for disaster recovery will be Ireand(eu-west-1). Both regions have a similar internal architecture. Let's drill down.
We have an API gateway created in each region to redirect incoming API calls to respective services.
- We created a custom VPC(CIDR range TBD) within the region.
- The VPC is spread over 2 availability zones.
- Each Availability Zone has 1 Public Subnet, 2 private subnets.
- The VPC has Internet Gateway to facilitate internet connectivity for public subnets. (Private Subnets can use this via NAT gateway)
- The VPC has a s3 Gateway VPC endpoint. As per AWS documentation - Endpoints can help reduce NAT gateway charges and improve security by accessing S3 directly from the VPC.
-
- Consists of our Web Layer which is accessible to Public.
- Associate an elastic public IP address with this subnet.(Note: elastic IPs are charged. So use only in production. Use auto-assigned for testing within free-tier)
- We have a NAT Gateway so that our private subnets can utilize this to communicate to internet.
-
- Consists of Application Layer. Our EKS cluster runs within this subnet.
-
- Consists of the Database Layer. Our RDS-Aurora Postgres cluster runs within this subnet.
Note: For Private subnets to successfully connect with s3 or internet, make sure to set up proper routing in route tables associated with the subnet.
- Set up Security Groups at instance level.
- Set up Network ACLs at subnet level.
- Set up IAM roles to access AWS services so that it prevents any unauthorized/unintended access.
- TODO: More security measures to be added here.
