The lambda-in-private-vpc repository implements a multi-region serverless architecture deployed across AWS regions eu-west-1 and eu-central-1. The system consists of AWS Lambda functions (audittest and database) running in isolated VPCs with no internet gateway, exposed via API Gateway endpoints protected by AWS WAF v2. DynamoDB Global Tables provide cross-region data replication. The architecture targets 99.99% availability through active/active deployment with Route 53 weighted routing and health-check-based failover.
All infrastructure is defined in five CloudFormation templates: template.yml (core infrastructure), route53.yml (DNS routing), waf.yml (web application firewall), app.yml (AWS Resilience Hub configuration), and disaster-recovery.yml (fault injection experiments). GitHub Actions workflows in .github/workflows/ automate validation, deployment, security scanning, and release processes.
Sources: README.md1-28 README.md517-524
The system deploys identical infrastructure stacks to two regions with the following components:
10.1.0.0/16 in eu-west-1, 10.5.0.0/16 in eu-central-1audittest (health check handler), database (DynamoDB operations)*.amazonaws.com egressThe CloudFormation stack deployment sequence is enforced by .github/workflows/main.yml: Ireland stack first, Frankfurt stack second (consuming Ireland outputs), then auxiliary stacks (route53, waf, app, disaster-recovery) in parallel.
Sources: README.md169-244 README.md246-257
The system enforces the following recovery time objectives (RTO) and recovery point objectives (RPO) through AWS Resilience Hub policy compliance defined in app.yml28-98:
| Failure Domain | RTO | RPO | Implementation |
|---|---|---|---|
| Regional | 3600s | 5s | Route 53 weighted routing with health checks, active/active regions |
| Availability Zone | 1s | 1s | Three private subnets per region across AZs |
| Hardware | 1s | 1s | AWS-managed infrastructure redundancy |
| Software | 5400s | 300s | SSM automation documents, DynamoDB PITR |
DynamoDB Global Table replication provides cross-region RPO via the StreamSpecification property with StreamViewType: NEW_AND_OLD_IMAGES in template.yml
Sources: README.md383-391 app.yml28-98
Templates are deployed in strict sequence by .github/workflows/main.yml The core template must complete in both regions before auxiliary templates can execute.
| File | Primary Resources | Dependencies |
|---|---|---|
| template.yml | AWS::EC2::VPC, AWS::Lambda::Function (audittest, database), AWS::ApiGateway::RestApi, AWS::DynamoDB::GlobalTable, AWS::EC2::NetworkAcl, AWS::Route53Resolver::FirewallRuleGroup, AWS::EC2::VPCEndpoint, AWS::Logs::LogGroup, AWS::KMS::Key | None |
| route53.yml | AWS::Route53::RecordSet (weighted A/AAAA), AWS::Route53::HealthCheck | Consumes API Gateway outputs from template.yml |
| waf.yml | AWS::WAFv2::WebACL, AWS::WAFv2::WebACLAssociation | Consumes API Gateway ARN outputs |
| app.yml | AWS::ResilienceHub::App, AWS::ResilienceHub::ResiliencyPolicy | Consumes Lambda, DynamoDB ARNs |
| disaster-recovery.yml | AWS::FIS::ExperimentTemplate, AWS::SSM::Document | Consumes all resource ARNs |
| Workflow | Trigger | Jobs | Purpose |
|---|---|---|---|
| .github/workflows/main.yml | workflow_dispatch | security-gate, deploy-ireland, deploy-frankfurt, deploy-route53, deploy-waf, deploy-resilience-hub, deploy-disaster-recovery, tag-release | Sequential multi-region deployment with security validation |
| .github/workflows/pullrequest.yml | pull_request | validate-templates | cfn-lint, cfn-nag, Checkov static analysis |
| .github/workflows/dependency-review.yml | pull_request | dependency-review | GitHub dependency graph vulnerability scanning |
| .github/workflows/scorecard.yml | push, schedule | analysis | OpenSSF Scorecard supply chain security assessment |
Sources: README.md517-524 .github/workflows/main.yml .github/workflows/pullrequest.yml
This diagram maps runtime components to their defining CloudFormation resources and template files.
Key CloudFormation resource types:
AWS::EC2::VPC: Network isolation boundary with RFC1918 CIDR blocksAWS::Lambda::Function: Serverless compute with VPC configurationAWS::ApiGateway::RestApi: HTTP API endpoint with custom domain nameAWS::DynamoDB::GlobalTable: Multi-region replicated table with Replicas propertyAWS::Route53::RecordSet: DNS records with weighted routing policyAWS::WAFv2::WebACL: Web application firewall with managed rule groupsSources: template.yml route53.yml waf.yml disaster-recovery.yml
The .github/workflows/main.yml workflow orchestrates deployment through sequential jobs with strict dependencies. Each job runs AWS CLI cloudformation deploy commands with stack-specific parameters.
Deployment Job Sequence
Job dependencies are enforced via the needs keyword in .github/workflows/main.yml Stack outputs are passed between jobs using GitHub Actions outputs and consumed as CloudFormation parameters.
Sources: .github/workflows/main.yml README.md462-501
Defense-in-depth implementation across network, application, data, and identity layers:
| Layer | CloudFormation Resource | Configuration |
|---|---|---|
| Application | AWS::WAFv2::WebACL (waf.yml) | ManagedRuleGroupStatement: AWSManagedRulesCommonRuleSet, AWSManagedRulesKnownBadInputsRuleSet, AWSManagedRulesLinuxRuleSet, AWSManagedRulesUnixRuleSet, AWSManagedRulesAmazonIpReputationList, AWSManagedRulesAnonymousIpList |
| Network | AWS::EC2::NetworkAcl (template.yml) | Inbound: deny TCP 3389 (RDP). Outbound: allow TCP 443 only |
| Network | AWS::EC2::SecurityGroup (template.yml) | Ingress: none. Egress: Lambda to VPC endpoints only |
| Network | AWS::EC2::VPC (template.yml) | No AWS::EC2::InternetGateway resource. No NAT gateway. |
| DNS | AWS::Route53Resolver::FirewallRuleGroup (template.yml) | FirewallRules: ALLOW *.amazonaws.com (priority 100), BLOCK all (priority 200) |
| Data | AWS::KMS::Key (template.yml) | EnableKeyRotation: true. Used by AWS::Logs::LogGroup, AWS::SNS::Topic |
| Identity | AWS::IAM::Role (template.yml) | LambdaFunctionRole: AWSLambdaVPCAccessExecutionRole + DynamoDB:GetItem/PutItem. ApiRole: logs:CreateLogGroup. FlowLogsRole: logs:CreateLogStream |
Security group rules permit Lambda egress to VPC endpoints only. No security group allows ingress from 0.0.0.0/0.
Sources: template.yml waf.yml README.md259-317
The app.yml template defines an AWS::ResilienceHub::App resource that references a GlobalMissionCritical resiliency policy with RTO/RPO objectives per failure domain. The disaster-recovery.yml template creates four AWS::FIS::ExperimentTemplate resources that inject faults to validate recovery procedures.
Resilience Policy Enforcement and Validation
FIS experiments execute SSM automation documents that inject IAM deny policies, delete DynamoDB tables, or trigger recovery procedures. Route 53 health checks monitor API Gateway /healthcheck endpoints and trigger weighted routing adjustments when failures are detected.
Sources: app.yml disaster-recovery.yml README.md393-458
This wiki covers the following areas in detail:
| Section | Topic |
|---|---|
| Architecture | Two-region design, VPC layout, DynamoDB replication, Route 53 routing |
| CI/CD Pipelines | All four GitHub Actions workflows, deployment sequencing, caching |
| Infrastructure as Code | All five CloudFormation templates in detail |
| Resilience and Disaster Recovery | Resilience Hub policy, FIS experiments, CloudWatch alarms, SOPs |
| Security | Network controls, WAF, encryption, IAM, supply chain |
| Operations | Monitoring guide, troubleshooting, runbooks |
| Reference | Architecture diagrams, contributing guidelines, glossary |