2

Please, consider a system (composed of many microservices and BFFs) that:

  • Each Platform (many microservices) and Customer Journey (BFF) has its own AWS Account (as part of an organization - Control Tower). We might have 20 - 30 AWS Accounts.
  • AWS Services used are: Lambda, SNS, SQS, Step Functions, EventBridge, Cognito, S3, CloudFront, CloudWatch, DynamoDB, Aurora Serverless (V2) + RDS Proxy, API GW (REST)
  • External Services: Lumigo for Monitoring, GitLab CI/CD (SaaS), Salesforce, Stripe, Twilio, Some Banks (API based)
  • Multi-region deployment (For DR only). So DynamoDB and Aurora Serverless (V2) are synched to another region, and the application is always deployed in both regions (Queues and other temporary states/data are not synched).

and knowing that it's now 2022 (Lambda will turn 10 in a couple of years) would we need VPC (VPCes?) for this solution for maximum security (regarding Infrastructure alone)?. It always looked to me that good governance, automatic rotation of IAM credentials, a strong CI/CD pipeline, and continuous and external security checks would be enough for Serverless Architecture, so that developers or DevOps wouldn't need to invest a lot of energy setting up and maintaining Network and VPC

Any help would be appreciated.

Cheers

jfbaro
  • 301
  • 2
  • 10

1 Answers1

2

So it is no must. You can keep your service also secure without a VPC. However, it may be more cost-effective to use a VPC. For example, if you move data from S3 to lambda you pay a fee for network traffic. If both have endpoints in the same VPC there are no fees.

Furthermore, the two accounts per microservice approach seems a bit complex. It would rather have one CDK construct/terraform/cloud formation template per microservice and then two instances of them for test and prod. The default quota for AWS Organization is 10 accounts, so it would limit you to 5 microservices.

Lau
  • 1,353
  • 7
  • 26
  • Thanks for the comments. They are insightful. Regarding the limit of Accounts per Organization, I believe this number can be increased. But let me correct something here, where I say "one account per microservice" I meant one Account per Platform. Each Platform might have tens or hundreds of microservices. Same thing for BFFs (Customer Journeys). I would say we would have 30 accounts, max, between Platforms and Jouneys. Sorry, I see now how my question was misleading. – jfbaro Apr 22 '22 at 07:29
  • 1
    Oh okay. Yes, the number can be increased and if the application is this large, it is reasonable to have several accounts for this abstraction level. – Lau Apr 22 '22 at 07:54