System design with need for static ip addresses for egress traffic

0

Hi,

I've created an backend with Serverless framework. Which uses API Gateway and lambdas. After building I've found that a vendor that my lambdas send requests to needs to come from a static ip address for security. I also need to proxy maybe with a vpn so that I can access the vendor's developer portal which needs to request to come from static ips as well.

Since the vender only needed static ips for egress traffic from my lambdas I followed a guide to set up the lambdas in a vpc and use a nat gateway with an assigned elastic ip. This has gotten very complicated and a lot of the functionality that api gateway benefits are not needed by my application (it will only ever be served in one region not globally).

That leaves the need to use the elastic ip address to be able make requests to the developer portal. I'm not really sure what I can do with this possibly using a client vpn. unsure of the approach I should take here. Sorry my networking knowledge is somewhat weak.

This is starting to get very complicated for a pretty simple application and with not needing the global aspect of api gateway I'm wondering if I should do a rewrite to a serverful approach on an ec2 or container runner. Does any one have any ideas on what that would look like and how much it would cost to have the requirements above.

1 Answer
2
Accepted Answer

Hello.

Using EC2 or ECS can be more expensive than Lambda because you need to keep servers and containers running even when the API is not running.
Even if you use EC2 or ECS, you will need a NAT Gateway to fix the IP address, so I don't think the settings for the network part are much different from Lambda.

I also need to proxy maybe with a vpn so that I can access the vendor's developer portal which needs to request to come from static ips as well.

I believe that users access the management portal using a browser, but is this correct?
I believe that Lambda is used to execute APIs provided by vendors.
In that case, it is also possible to install AWS ClientVPN or OpenVPN on the user's PC and access it via AWS's NAT Gateway.
You can provide your users with static IP addresses through ClientVPN by setting up a configuration similar to the one described in the blog "Client VPN to Internet" below.
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity/

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile pictureAWS
EXPERT
reviewed a month ago
  • I created a simple configuration diagram. To summarize, it looks like the following, but as you can see, the configuration around the VPC is the same whether you use API Gateway or ECS. Therefore, if the API is not planned to be executed that much, I think a configuration using API Gateway and Lambda will be cheaper than EC2 or ECS. https://aws.amazon.com/fargate/pricing/?nc1=h_ls https://aws.amazon.com/lambda/pricing/?nc1=h_ls a

  • Hi,

    Thanks for your detailed answer. I'm having trouble getting open vpn to connect to my nat gateway. Are there any step by step guides for this?

    Cheers,

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions