1 個回答
- 最新
- 最多得票
- 最多評論
1
There are a couple of ways to achieve this architecture. Depending on the level of access (security) required - in addition to your method.
You can peer the VPCs, but the security issue is, this will open up the entire VPC in the shared services (server) account. https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html
The second method, much easier and secure is using AWS Private-Link: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html
This method uses a NLB to front the application (Lambda in your case), and a VPC-Endpoint to route traffic privately from the consumer (client) account. '
I'd recommend setting up a POC for this, initially, then duplicating into a staging account.
已回答 3 個月前
相關內容
- 已提問 6 個月前
- 已提問 10 個月前
Thank you very much for your answer. Can I know whether I can impose a subscription (Pro or Standard) mechanism in the server account? Clients should not be able to give any other client access to the services exposed in the server account by sharing any information other than a user account itself.
@Jehan, I may have not fully contextualized your request - for that I apologize. It sounds like, you're exposing a single "server" account, to many "client" accounts? The solution provided will work, your customer will have to secure the VPC-Endpoints through tight resource policies (vpc-e access policies, so only traffic from that account that cross that vpc-e). If you're looking for a subscription based approach, introducing the API G/W will be a much cleaner way to provide this (usage plans & API keys).
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
Using with Private-Link / VPC-Es: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
Good developer documentation on implementing usage plans & API keys: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-usage-plans-with-console.html