This document provides a high-level introduction to the lambda-in-private-vpc repository, which implements an enterprise-grade, multi-region serverless architecture on AWS. The system deploys Lambda functions in isolated private VPCs across two AWS regions (eu-west-1 and eu-central-1) with comprehensive security controls, automated failover, and disaster recovery capabilities.
This page covers:
For detailed information on specific subsystems:
Sources: README.md1-27
The lambda-in-private-vpc repository implements a production-ready serverless application infrastructure with the following capabilities:
The system achieves 99.99% uptime through geographic redundancy and automated recovery mechanisms.
Sources: README.md10-27 README.md70-78
This architecture addresses critical business requirements:
| Impact Category | Severity | Mitigation Strategy |
|---|---|---|
| Financial | $1,000-5,000/min downtime cost | Multi-region active/active with automated failover |
| Operational | 40-60% productivity loss during outages | Near-zero RTO through geographic redundancy |
| Reputational | Customer trust erosion | 99.99% uptime SLA with health monitoring |
| Compliance | Regulatory penalties | NIST 800-53, ISO 27001, PCI DSS, GDPR compliance |
The system's Regional RTO of 1 hour and Regional RPO of 5 seconds are enforced through AWS Resilience Hub policy compliance and validated through regular chaos engineering tests.
Sources: README.md79-167
The repository is organized into three primary layers: infrastructure definitions, CI/CD automation, and documentation.
| File Path | Lines | Primary Resources | Key Logical IDs |
|---|---|---|---|
.github/workflows/main.yml | ~500 | Production deployment orchestration | Workflow jobs: deploy-ireland, deploy-frankfurt, deploy-route53, deploy-waf, deploy-resilience-hub, deploy-disaster-recovery |
.github/workflows/pullrequest.yml | ~200 | Pre-merge validation | Security scans: cfn-lint, cfn-nag, Checkov |
cloudformation/template.yml | 794 | Core infrastructure | VPC, Lambda, LambdaDynamo, RestApi, GlobalTable, DNSFIrewallRuleGroup, PrivateNetworkAcl, VPCEndpointS3, VPCEndpointDynamoDb |
cloudformation/route53.yml | ~150 | DNS and traffic routing | Weighted A/AAAA records, health check integration |
cloudformation/waf.yml | ~100 | Web application firewall | WebACL with 6 managed rule groups |
cloudformation/app.yml | ~200 | AWS Resilience Hub | ResilienceHubApp with Mission Critical policy |
cloudformation/disaster-recovery.yml | ~400 | Chaos engineering | 4 FIS experiments, SSM automation documents |
Sources: cloudformation/template.yml1-794 .github/workflows/main.yml .github/workflows/pullrequest.yml README.md513-535
The system operates across three AWS deployment contexts: two regional stacks and global services.
The .github/workflows/main.yml workflow executes deployments in a specific order to satisfy cross-stack dependencies:
GlobalTableArn parameter, creating the primary DynamoDB Global Table template.yml495-515GlobalTable output ARN from Ireland stack template.yml766GlobalTable ARN to the GlobalTableArn parameter template.yml4-7 to skip table creation and use the existing global tableHealthCheckId and domain outputs from both regions template.yml745-793StackId outputs template.yml753-754The conditional deployment logic is controlled by the deployGlobalTable condition template.yml21-23 which evaluates to true only when GlobalTableArn parameter is empty.
Sources: cloudformation/template.yml4-793 .github/workflows/main.yml README.md169-510
The following diagram maps conceptual system components to actual CloudFormation resource logical IDs defined in template.yml:
| CloudFormation Resource Type | Logical ID | Function Name / Table Name | Purpose | Template Location |
|---|---|---|---|---|
AWS::EC2::VPC | VPC | N/A | Network isolation boundary | cloudformation/template.yml25-33 |
AWS::Lambda::Function | Lambda | audittest | Health check Lambda | cloudformation/template.yml432-461 |
AWS::Lambda::Function | LambdaDynamo | database | Database operations Lambda | cloudformation/template.yml462-494 |
AWS::DynamoDB::GlobalTable | GlobalTable | global-table | Multi-region data store | cloudformation/template.yml495-515 |
AWS::ApiGateway::RestApi | RestApi | ApiName | HTTP API endpoint | cloudformation/template.yml516-524 |
AWS::ApiGateway::Stage | ApiStage | v1 | API deployment stage | cloudformation/template.yml631-653 |
AWS::Route53Resolver::FirewallRuleGroup | DNSFIrewallRuleGroup | N/A | DNS query filtering | cloudformation/template.yml250-262 |
AWS::EC2::NetworkAcl | PrivateNetworkAcl | N/A | Network layer filtering | cloudformation/template.yml97-156 |
AWS::EC2::VPCEndpoint | VPCEndpointS3 | N/A | S3 Gateway endpoint | cloudformation/template.yml335-359 |
AWS::EC2::VPCEndpoint | VPCEndpointDynamoDb | N/A | DynamoDB Gateway endpoint | cloudformation/template.yml360-385 |
AWS::Route53::HealthCheck | HealthCheckRestApi | N/A | API health monitoring | cloudformation/template.yml732-742 |
Sources: cloudformation/template.yml25-742 README.md246-258
The system implements defense-in-depth security with multiple layers defined across CloudFormation templates:
| Security Layer | Implementation File | Logical ID | Configuration Details |
|---|---|---|---|
| Edge | cloudformation/waf.yml | WebACL | 6 AWS managed rule groups |
| Network ACL | cloudformation/template.yml | InboundDenyRdpPrivateNetworkAclEntry | Denies inbound RDP (port 3389) - template.yml118-129 |
| Network ACL | cloudformation/template.yml | OutboundPrivateNetworkAclEntry | Allows outbound HTTPS (port 443) - template.yml130-141 |
| Security Group | cloudformation/template.yml | LambdaSecurityGroup | Egress to VPC CIDR on port 443 - template.yml386-396 |
| DNS Firewall | cloudformation/template.yml | DNSFIrewallRuleGroup | Allow AWS domains, block all others - template.yml250-262 |
| IAM | cloudformation/template.yml | LambdaFunctionRole | Least privilege with 6 managed policies - template.yml406-424 |
| Encryption | cloudformation/template.yml | EncryptionKey | KMS key with automatic rotation - template.yml202-237 |
| Monitoring | cloudformation/template.yml | FlowLogs | VPC flow logs to CloudWatch - template.yml270-282 |
| Data Protection | cloudformation/template.yml | GlobalTable | Point-in-time recovery enabled - template.yml504-505 |
Sources: cloudformation/template.yml97-742 cloudformation/waf.yml README.md259-318
AWS Resilience Hub enforces recovery objectives through policy-based assessment:
| Failure Type | RTO | RPO | Implementation | CloudFormation Resources |
|---|---|---|---|---|
| Regional | 3600s (1h) | 5s | Multi-region active/active, Route 53 failover | cloudformation/route53.yml: HealthCheck1, HealthCheck2, ApiDNSRecord |
| AZ | 1s | 1s | Multi-AZ Lambda deployment | cloudformation/template.yml: PrivateSubnet1/2/3 |
| Hardware | 1s | 1s | AWS infrastructure redundancy | N/A (AWS managed) |
| Software | 5400s (90m) | 300s (5m) | Automated recovery, FIS testing | cloudformation/disaster-recovery.yml: FIS experiments, SSM documents |
The Resilience Hub configuration is defined in cloudformation/app.yml, which references both regional CloudFormation stacks and defines the Mission Critical policy with these objectives. Daily assessments validate compliance.
Sources: README.md319-392 cloudformation/app.yml
The .github/workflows/main.yml workflow orchestrates the complete deployment lifecycle:
| Workflow File | Trigger | Primary Actions | Security Scans |
|---|---|---|---|
.github/workflows/pullrequest.yml | Pull request | Template validation, security scanning | cfn-lint, cfn-nag, Checkov, StandardLint |
.github/workflows/main.yml | Merge to main | Multi-region deployment, auxiliary stack configuration | All PR scans + ZAP API scan |
.github/workflows/scorecard.yml | Daily schedule | OpenSSF Scorecard assessment | Supply chain security |
.github/workflows/dependency-review.yml | Pull request | Dependency vulnerability scan | GitHub dependency review |
Sources: .github/workflows/main.yml .github/workflows/pullrequest.yml README.md460-510
| Technology | Version | Purpose | Template Reference |
|---|---|---|---|
| Node.js | 20.x | Lambda runtime | template.yml453 (Runtime: nodejs20.x) |
| Lambda Architecture | ARM64 | Compute architecture | template.yml445 (Architectures: arm64) |
| CloudFormation | 2010-09-09 | Infrastructure as Code | 5 templates: template.yml, route53.yml, waf.yml, app.yml, disaster-recovery.yml |
| GitHub Actions | Latest | CI/CD automation | 4 workflows: main.yml, pullrequest.yml, scorecard.yml, dependency-review.yml |
| AWS Lambda | Latest | Serverless compute | 2 functions per region: audittest template.yml432-461 database template.yml462-494 |
| DynamoDB Global Tables | v2019.11.21 | Multi-region data store | template.yml495-515 with BillingMode: PAY_PER_REQUEST |
| API Gateway | REST API v1 | HTTP endpoint | template.yml516-524 with EndpointConfiguration: REGIONAL |
| Route 53 | Latest | DNS and traffic routing | Health checks template.yml732-742 weighted routing in route53.yml |
| WAF | v2 | Application firewall | 6 managed rule groups in waf.yml |
| VPC CIDR | 10.1.0.0/16, 10.5.0.0/16 | Network addressing | template.yml16-19 (VpcCidrPrefix parameter) |
| AWS Resilience Hub | Latest | RTO/RPO enforcement | Mission Critical policy in app.yml |
| AWS FIS | Latest | Chaos engineering | 4 experiments in disaster-recovery.yml |
| KMS | Latest | Encryption key management | template.yml202-237 with EnableKeyRotation: true |
Sources: cloudformation/template.yml16-742 README.md1-78
To understand specific aspects of the system in detail:
Sources: README.md12-24
Refresh this wiki
This wiki was recently refreshed. Please wait 4 days to refresh again.