I have a few services running as lambda functions in the same AWS region. Let's say I have service A and B. Both are behind API Gateway so that I have api-a.myapp.com and api-b.myapp.com. Both of these work fine and they can also send requests to each other using those URLs.
Now I've added an EC2 instance running a postgresql database. In order to protect this service, I've decided not to open upp public traffic in the instance's security group (security-group-D). Instead, I've put the service that needs to access the database (service A) inside the same VPC as the EC2 instance, in its own security group (security-group-A), and configured security-group-D to allow traffic from the security-group-A.
Service A can now access the database. However, it cannot access the internet (which is fine) and it can no longer access service B (not fine)
What's the best practice for this setup?
I've tried:
- Putting service A in a separate subnet connected to a NAT Gateway. This works but is fairly expensive.
- Creating a VPC Endpoint so that things inside the VPC can access API Gateway (execute-api). I have not managed to get this to work, despite fiddling a lot with different security groups and such.
- Skipping putting service A in the VPC and instead configuring security-group-D to accept traffic from the public internet. This works but is not very secure.
Thanks!