Join Log in
Score:0
Maxime Rossini avatar Server

Secure external database access from AWS application

bo flag
Maxime Rossini

Today we have a solution whose infrastructure is entirely hosted on AWS. Among other things, there is an API (API Gateway + lambda) which communicates with a database through a VPC to VPC connection secured with Security Groups and database authentication. The database is exposed to the Internet only to a small set of well-known IP addresses for administration purposes (also using security groups). I think this setup is relatively secure because the database can only be reached from well known IP addresses and from our lambdas.

In another environment (for one of our clients), we are planning to externalize the database to another cloud hosting provider (OVH), so that the data is stored in a French-based company rather than Amazon.

How should we setup the network infrastructure to maintain the same level of security in this environment? Using only IP address filtering + database authentication + encryption seems insufficient because lambdas outbound IP addresses are shared with other AWS customers.

28
0 + 1
ovh
vn flag
ceejayoz
Run the Lambdas in a VPC's private subnet, so all traffic goes through a NAT gateway. Whitelist just that gateway. https://repost.aws/knowledge-center/internet-access-lambda-function
3
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.