I'm trying to set up an efficient AWS architecture using FastAPI on App Runner and Postgres on RDS, all managed through the Cloud Development Kit (CDK). Everything works fine locally and deploys to App Runner without issues. I've structured my environments as follows:
- `CoolStartupInfra-dev` for development with its own RDS and VPC.
- `CoolStartupInfra-prod` for production, also with its RDS and VPC.
- Two App Runner services: `coolstartup-api-core-dev` and `coolstartup-api-core-prod`.
I understand that I need a VPC connector, but I'm a bit lost on how to manage these connections in a multi-environment setup. Should App Runner directly use the VPC and database from the core stack, or would it be better to utilize Parameter Store?
Also, do I need to create a separate VPC connector for each environment? Lastly, how can I ensure that my development environment only communicates with its respective development database? I'm seeking advice on structuring this correctly, as I feel like I'm missing some key concepts about isolating App Runner and RDS effectively.
2 Answers
For ensuring isolation between environments like dev and prod, security groups play a crucial role. Attach the VPC connector to a specific security group and then link that to your RDS’s security group. This way, only the App Runner service in your dev environment can talk to the corresponding dev RDS, enforcing the isolation you need.
Keep in mind that while you could achieve some of this separation through VPC and subnet isolation, the additional costs associated with NAT Gateways can complicate things. I recommend looking into best practices or examples for setting this up. Use frameworks or tools like GenAI to generate sample CDK setups that align with your requirements.
There really isn't a one-size-fits-all approach here. If you're working in a small environment or just experimenting, using a single stack with all resources can work fine. For more flexibility, I usually create an account-level construct that includes the VPC and any shared resources, and then build individual stacks for components like RDS on top of that. For instance, you might have an `account.stack.ts` for the VPC, a `persistence.stack.ts` for RDS, and an `app.stack.ts` to connect everything together while ensuring your VPC connector links back to the right security group.
To ensure that dev talks only to the dev DB, you can leverage AWS accounts as strict boundaries. Development environments often get mixed up if not carefully managed, but production should adhere strictly to Infrastructure as Code (IaC). So, having different accounts can help keep things clean and separate.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically