Personal compilation for best practices for VPC Network architectures on AWS to improve performance, high availability and security for your apps

• Deploy your services and applications on two or more Availability zone on AWS
• This prevent total outage into your application in case of AWS failures
• This is helps you on spot requests
• Enable Multi A-Z on Elasticache and RDS instances
• Create read replicas to your databases in a different AZ's

• The main route table controls the default traffic from your VPC network. For more control and compliance management, don't use it.
• The main route table is recommended to simple and low scope architectures.
• For more complex and compliance environment, the recommendation are create your on route tables with your rules from internet and additional VPC Peering links.

• Network Load Balancers and Some Network functions needs a public subnets deployed to works fine.
• If you deploy an ALB to balance the traffic between your instances or containers, technically AWS will deploy that service to a public subnet in each Availability Zone you choose to route.
• This publics subnets can be used to deploy bastion hosts, third-part applications, satellite services like monitoring systems, CI/CD Pipeline, Big Data Services to support teams and business dynamically/

• Containers, EC2 should not have accessed directly from the Internet by public IP's.
• The application layer must be served by a single access point, such as an Application Load Balancer, Classic Load Balancer, or Network Load Balancer.
• Nginx, HAProxy, Ingress Controllers, API Gateways, ALB, ELB, NLB deployed on Public Subnets must route all DMZ access to private subnets

• Crete VPC Endpoint to consume AWS services without using a Internet Gateway or NAT Gateway with Internet Access.

• VPC Endpoints can be used to improve latency performance with security with common AWS services like S3, API Gateway, SQS, ECR, SNS, DynamoDB and Load Balancers.

• You can create a microservices gateway using VPC Endpoints for ALB and API Gateway

• Creating routing rules of all outbound traffic from the network to a NAT Gateway, you can enjoy a fixed outgoing IP
• Fixed outbound IPs can help you identify with third-party gateways, partners, friendly firewalls, and IPsec connections for Multicloud.

• For compliance management, your databases, cache layers and data warehouses like RDS, Elasticache, Elasticsearch, DB's on EC2, Redshift, Bigdata Stacks should be deployed on a segmented subnets without access to internet.
• No data should be accessed directly from the internet., only by applications deployed on your VPC.
• For multicloud, the recommendations are create a IPsec Connections or VPN Connections site-to-site.

• Enable VPC Flow logs to enhance your network monitoring

• Block all outside traffic to private subnets and allow traffic only by VPC IP Range
• Block all egress traffic from database subnets
• Only allow public subnet ingress to really useful public ports, like 80, 443, 22 etc.

• Create an simple stack to enhance your WAF Rules analysis

terraform init

terraform apply

terraform plan

👤 Matheus Fidelis

• Twitter: @fidelissauro
• Github: @msfidelis

Contributions, issues and feature requests are welcome!
Feel free to check issues page.

Give a ⭐️ if this project helped you!

Copyright © 2019 Matheus Fidelis.
This project is MIT licensed.

This README was generated with ❤️ by readme-md-generator