To VPC or not to VPC (Full Serverless Product)

Hello there,

I work for a big company as a software Architect and unfortunately, I am not an expert on infrastructure, so I would like to hear from you guys what your opinions are on this :slight_smile:, please.

We are working on a greenfield PRODUCT which is following the SERVERLESS FIRST approach. So far the AWS services we are using (or considering to use):

  • API Gateway (REST) - for external APIs (inbound)

  • Lambda - for compute

  • DynamoDB - for OLTP data

  • SQS/SNS - for messaging (EventBridge is too new yet)

  • Cloud Map - To work as our service discovery and also to eliminate the need for an ELB

  • HSM - for security

  • WAF Advanced - Firewall

  • Cognito Advanced - For credentials (This service might be shared in the future with other products within the company)

  • Route53 - For multi-region availability

  • S3 - For file storage and the initial “Data Lake”

  • AWS CI/CD stack - Path to Production

  • IAM - Governance and access control

  • VPN (Whitelist, 2way SSL, etc) - We might need some end to end VPN to connect our external partners which offer APIs which we rely on (they might or might not be running on AWS).

The architecture follows:

  • Microservice Architecture (DDD and NO synchronous inter-services communication, to reduce the dependency between them);

  • Event-driven (Messages for internal use and Webhooks to clients and external services);

  • Cloud Native;

  • Security is a key factor for this solution as it will provide financial services to our customers and will be under strong regulation and compliance;

  • Reduce the operation overhead as much as possible (The closer to “NoOps”, the better).

  • Be able to be plug-in other external systems (partners) through APIs (Whitelist their IPs?)

  • High available

  • Low infrastructure cost

I have been reading that in a true serverless architecture (at least on AWS) a VPC won’t buy me anything but more complexity.

I know the answer is “It depends”, but according to the points that I provided here is it possible to give me a sensible recommendation?

Thanks

If your company requires database to live in VPC for security reasons, then you don’t have other options but must use VPC. Otherwise having no VPC is preferable.
Serverless + Lambda has improved a lot, in the old days (last year) having VPC makes cold start a very painful issue for lambda, but now with provisioned concurrency, improved VPC networking and RDS proxy VPC performance is no longer an issue.

The short answer to your question is, avoid VPC if at all possible. For a Serverless applicaiton, VPC is only required if you are using specific services that require it (such as RDS, or ElasticSearch, etc) or for security compliance reasons (and even then you may still be ok). Most of the “serverless” services are already within a default “VPC” so there is already a level of security inherent in these services.

Also, for your CI/CD usage, while I may be biased, I would sincerely recommend looking into using Serverless Framework Pro’s CI/CD solution (I will be giving a webinar on it this week if you are interested to learn more). Its just far simpler to help you manage your deployments this way: https://serverless.zoom.us/webinar/register/3415844877281/WN_stINdhdpSYKgcI4L3Dl03w