In this section we will build out our base lab infrastructure. This will consist of a public API gateway which connects to Lambda (application layer). The application layer will connect to RDS for MySQL (database layer) within a Virtual Private Cloud (VPC). The environment will be deployed to separate private subnets which will allow for segregation of application and network traffic across multiple Availability Zones. We will also deploy an Internet Gateway and NAT gateway along with appropriate routes from both public and private subnets.
When we successfully complete our initial stage template deployment, our deployed workload should reflect the following diagram:
Note the following:
The API Gateway has been provided with a role to allow access to invoke the Lambda function in the private subnet (application layer).
The Lambda function has been provided with a role to allow the API Gateway to invoke the Lambda function.
Secrets Manager has been configured as the master password store which the Lambda function will retrieve to provide access to RDS. This will allow Secrets Manager to be used to encrypt, store and transparently decrypt the password when required.
The Security Group associated with Amazon RDS for MySQL will only allow inbound traffic on port 3306 from the specific security group associated with Lambda. This will allow sufficient access for Lambda to connect to Amazon RDS for MySQL.
Note: For simplicity, we have used North Virginia ‘us-east-1’ as the default region for this lab. Please ensure all lab interaction is completed from this region.
To deploy the template for the base infrastructure complete the following steps:
To deploy the second CloudFormation template, you can deploy directly via the console. You can get the template here.
Take a note of APIGatewayURL as we will often use this URL for testing.
python sendRequest.py 'APIGatewayURL'
Once your command runs successfully, you should be seeing Response code 200 with Response data as shown here:
END OF SECTION 1