Production

Diagram

Description

Unlike in the development setup, where your project is deployed into the default VPC, in the production setup, your project is deployed into a custom Virtual Private Cloud (VPC), which we cover in this section.

Note that the VPC setup presented here is a good foundation, but is not an ultimate solution. There is a chance that the setup might need additional cloud infrastructure resources or different configurations on your or your organization’s behalf.

Key Differences

When compared to the development mode, essentially, resources still work and communicate with each other in the same way, except this time, there are a couple of additional network-level resources and rules in place. This helps in improving your project’s availability and overall security posture.

Public and Private Subnets

The most prominent change, when compared to the development mode, is the inclusion of a VPC that consists of three subnets - one public C and two private D e, deployed across multiple availability zones (AZs).

With this network structure, you are given the opportunity to place mission-critical cloud infrastructure resources into the private subnets D E, which makes these resources more secure, because they are not directly exposed to the public internet. This is especially important when talking about hosting databases, for example the Amazon OpenSearch Service H.

Multiple Availability Zones

As mentioned, the public and private subnets are deployed across multiple availability zones (AZs). This helps in making your application more highly available, fault tolerant and scalable. For example, if in a single region, one of the AZs goes offline, all of the network traffic is essentially routed to other AZs that are online. This means your application still works.

Note that the number of distinct AZs depends on the region you’re deploying to as some only have 2 AZs.

External Internet-Facing Cloud Infrastructure Resources

The only way resources located in the private subnets D e can talk to the public internet is via the public subnet C, which includes a NAT gateway F. The NAT (network address translation) gateway is the middleman that forwards all internet-routable network traffic, received from private subnets, to the Internet Gateway g.This makes it possible for AWS Lambda functions that are located in private subnets D E to talk to AWS resources that operate in an internet facing environment, like Amazon DynamoDB i, Amazon S3 j, and Amazon Cognito k.

FAQ

Is Amazon OpenSearch Service<diagram-letter>H</diagram-letter>Deployed Into Multiple AZs?

For the production setup, that is true. For development setup, it is deployed into a single AZ, just for cost reasons.

Check out the Amazon OpenSearch Service’s FAQ page for more information.

How Is API Gateway Communicating With AWS Lambda Functions if It's Outside of the VPC?

To our knowledge, there is no official evidence on how this actually works. But, since no additional configuration was needed in order to establish the API Gateway B - Lambda Functions connection, it means that this is automatically handled for you by AWS’s internal structure and mechanisms. This Stack Overflow question briefly discusses this, but again, no concrete evidence and answers are provided.