[fulafel]

This is true, AWS is pretty anti-internet in all their architecture recommendations. IMO security is better done by firewalling and protocol level authentication (belt + suspenders) because it keeps your configuration clean and understandable, and complexity is the enemy of security.

The attitude has two things in AWS interest: 1) keep lock-in by encouraging customers to build AWS-internal networks 2) don't scare away the lift-and-shift customers who want to transplant their 1990s style "intranet" (or mental model, at least) onto AWS.

Explains also why they aren't very keen about IPv6 because that would encourage internetworking.

Just don't tell anyone that you can access the AWS console from the internet :)

[scarface74]

It’s never been considered best practice to expose services needlessly to the Internet. I’m as far from an old school net ops guy as you can get and jump at any new AWS technology that’s feasible as anyone but it would be the height of stupidity for me to expose my Aurora cluster to the Internet. Good luck explaining that to your external auditors.

[fulafel]

Of course. I'm just saying that firewalling and end-to-end security are better ways of doing that than routing and ambiguous (rfc1918) addressing. Never trust the network, lest you end up making yours soft and chewy on the inside.

[scarface74]

How do you propose you firewall your database access and only allow certain IP addresses when you need access from lambda when the lambda is always run from a random location on AWS’s network?

A lambda is never run “from within your VPC”, it’s attached via an ENI (or at least it was).

[fulafel]

Yeah, this kind of thing is part of what I meant when I criticised AWS encouraging VPC use instead of end-to-end security.

But off the top of my head, you could always use the firewall API from the lambda to open network access between it and the RDS when the lambda starts. (In addition to using certs or IAM security on your TLS connection to the RDS db)

[scarface74]

And then you are depending on a proprietary connection and authentication protocol instead of being able to use the standard MySQL/Postgres drivers.

Also, how do you handle the commercial hosted databases like Sql Server and Oracle?

[fulafel]

Certs is a standard feature. IAM doesn't require nonstandard client or protocol features either (see https://aws.amazon.com/premiumsupport/knowledge-center/users...).

I think with client certs work fine with SQL Server and Oracle too, with standard clients.

But I'm sure you can come up with imagined scenarios where you end up cornered to use VPCs. I get it, these situations may exist. I'm just saying they suck, not that you'll never have to resort to them.