Hey everyone! I'm developing the backend for a mobile app that relies on Server-Sent Events (SSE) for chat functionalities. Instead of using API Gateway, I opted for an Application Load Balancer (ALB) that routes to a FastAPI application running on ECS. I'm facing a couple of challenges:
1. When the mobile app sends requests, they pass through the ALB (which has a web application firewall), but my ECS container still does the Cognito authentication. This setup feels insecure since an unauthenticated user could exploit it.
2. I noticed that without a NAT, I can't directly authenticate against Cognito because there aren't any endpoints available, which seems wasteful to maintain a NAT just for authentication purposes.
In the future, I plan to integrate CloudFront for cached images, and I might use a lambda at the edge for authentication before hitting the ALB.
What are your thoughts on this approach? It feels a bit flawed, and I'm hoping to find better alternatives without switching to GraphQL. Any advice would be appreciated!
2 Answers
You’re right about needing some NAT management for this. If you're looking to save a few bucks, consider using something like Fck-NAT. It’s what I use for my smaller services and works just fine.
You could place your ALB in a private subnet and then leverage the new CloudFront private endpoints. This enhances your DDoS protection and WAF security, so you won’t need to run it on the ALB anymore. But keep in mind, private subnets will still require NAT to authenticate with Cognito, just like you mentioned for your container. Another option is keeping your ALB publicly facing until you offload Cognito auth.
This could be a valid approach! I like the idea of keeping things private but understand the challenges involved.
Thanks for the tip! I’ll definitely check that out for my other NAT setups!