AWS – Which PaaS services require a VPC?

anuj varma — Sat, 24 Sep 2022 08:52:24 +0000

Several PaaS services use the compute platform (compute engine on GCP and EC2 on AWS). These services ARE actually part of your VPC – even though it may seem like they are not (due to the misconception that PaaS means global…)

On GCP, these would include:

App Engine, App Engine Flex, Cloud SQL, DataProc among others.

On AWS, these would include

AWS Elastic Beanstalk
Amazon RDS
Amazon EMR
Amazon Redshift

So, which PaaS Services DO NOT belong in a VPC?

Cloud Storage on GCP , S3 on AWS are storage services that are always accessible from the Internet (there IS a way to block off the public IP).
You never have to spin up an S3 instance – like you do an RDS instance. It does not belong on the VPC. Compute Instances and EC2 instances need to be able to access the internet – or access VPC endpoints for the S3 / Cloud Storage.
Serverless Functions (lambda on AWS) / Cloud functions on GCP – CAN be connected to a VPC (by default, they are not). If connected to a VPC, then they can only access resources within the VPC (or use a NAT Gateway for access to the Internet). If not connected to a VPC, Internet access is direct.

Summary

The post AWS – Which PaaS services require a VPC? appeared first on AWS Security Architect.

aws paas security Archives - AWS Security Architect

AWS – Which PaaS services require a VPC?