Today we have a solution whose infrastructure is entirely hosted on AWS. Among other things, there is an API (API Gateway + lambda) which communicates with a database through a VPC to VPC connection secured with Security Groups and database authentication. The database is exposed to the Internet only to a small set of well-known IP addresses for administration purposes (also using security groups). I think this setup is relatively secure because the database can only be reached from well known IP addresses and from our lambdas.
In another environment (for one of our clients), we are planning to externalize the database to another cloud hosting provider (OVH), so that the data is stored in a French-based company rather than Amazon.
How should we setup the network infrastructure to maintain the same level of security in this environment? Using only IP address filtering + database authentication + encryption seems insufficient because lambdas outbound IP addresses are shared with other AWS customers.
