Class X8ServerlessContainerApi

Construct to provision Well Serverless Container based APIs.

Infrastructure Diagram

Serverless Container Infrastructure

Default Configuration

Validated public certificate for the API domain Web Application Firewalls Application Load Balancer VPC with 3 Subnets, PUBLIC, PRIVATE and ISOLATED Cloudfront Distribution ECS CLuster with Fargate Service CPU and Memory based autoscaling strategy

Note: This construct expects a HostedZone present in the same AWS account

Default Alarms
  1. Cert Expiration Alarm
    • Risk Level: High
    • Well Architected Pillar: Reliability
  2. API Gateway Server Error Alarm
    • Risk Level: Medium
    • Well Architected Pillar: Reliability, Performance
  3. 4xx error alerts
    • Risk Level: Medium
    • Well Architected Pillar: Reliability, Operational Excellence
  4. 5xx error alerts
    • Risk Level: High
    • Well Architected Pillar: Reliability, Operational Excellence
  5. CloudWatch Total Error Rate Alarm
    • Risk Level: Low
    • Well Architected Pillar: Reliability
  6. CPU Utilization alerts
    • Risk Level: Medium
    • Well Architected Pillar: Reliability, Performance, Operational Excellence
  7. Memory Utilization alert
    • Risk Level: Low
    • Well Architected Pillar: Reliability, Performance, Operational Excellence

Note that the default alarm uses the WaAlarm construct, which sets up an alarm action to notify the SNS Topic AlarmEventsTopic by default.

Examples

Default Usage

        const api = new X8ServerlessContainerApi(this, "Api", {
            x8DomainName: 'cre8ivelogix.com,
            x8SubDomain: "api"
        });

         // Add a Microservice app reachable at api.cre8ivelogix.com/user
         api.addService({
            x8Image: ecs.ContainerImage.fromEcrRepository(userRepo, "1.0"),
            x8ServiceName: "UserApi",
            x8PathPattern: "/user"
        });

        // Add a Microservice app reachable at api.cre8ivelogix.com/account
       api.addService({
            x8Image: ecs.ContainerImage.fromEcrRepository(accountRepo, "1.0"),
            x8ServiceName: "AccountApi",
            x8PathPattern: "/account",
             x8FargateTaskDefinitionProps: {
                cpu: 4096,
                memoryLimitMiB: 8192
            },
        });

Compliance

It addresses the following compliance requirements

  1. Highly available NAT Gateway in use
    • Risk Level: Medium
    • Compliance: APRA, MAS, NIST4
    • Well Architected Pillar: Performance Efficiency
  2. Certificate Expiration Alarms
    • Risk Level: High
    • Compliance: PCI, APRA, MAS, NIST4
    • Well Architected Pillar: Operational Excellence
  3. Ensure ALB is always using https, by redirecting http to https
    • Risk Level: High
    • Compliance: PCI, APRA, NIST4
    • Well Architected Pillar: Security
  4. Enable access logs in production
    • Risk Level: Medium
    • Compliance: PCI, HIPAA, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  5. Cross Zone load balancing enabled
    • Risk Level: Medium
    • Compliance: NIST4
    • Well Architected Pillar: Reliability
  6. Security group to only allow https traffic
    • Risk Level: High
    • Compliance: PCI, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  7. Cloudfront origin should not use insecure protocols
    • Risk Level: Medium
    • Compliance: PCI, HIPAA, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  8. Cloudfront logging enabled
    • Risk Level: Low
    • Compliance: PCI, HIPAA, GDPR, APRA, NIST4
    • Well Architected Pillar: Operational Excellence
  9. Cloudfront uses enhanced security policy min TLS1.2
    • Risk Level: High
    • Compliance: PCI, HIPAA, MAS, NIST4
    • Well Architected Pillar: Security
  10. Cloudfront uses only secure protocol to communicate with origin
    • Risk Level: Medium
    • Compliance: PCI, HIPAA, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  11. Cloudfront uses only secure protocol to communicate with end users
    • Risk Level: High
    • Compliance: PCI, HIPAA, NIST4
    • Well Architected Pillar: Security
  12. Encrypted storage
    • Risk Level: High
    • Compliance: NIST4
    • Well Architected Pillar: Security
  13. Do not assign public IP to Fargate service
    • Risk Level: Medium
    • Compliance: NIST4
    • Well Architected Pillar: Security
  14. ECS task log driver in user
    • Risk Level: High
    • Compliance: NA
    • Well Architected Pillar: Security, Operational Excellence
  15. CloudWatch container insights
    • Risk Level: Low
    • Compliance: NA
    • Well Architected Pillar: Reliability, Operational Excellence
  16. Allow traffic to Private subnet only from ALB security group
    • Risk Level: Medium
    • Compliance: NA
    • Well Architected Pillar: Security
  17. Cost Optimization
    • Risk Level: Low
    • Compliance: NA
    • Well Architected Pillar: Cost Optimization

Hierarchy

  • Construct
    • X8ServerlessContainerApi

Constructors

constructor

Properties

cfWaf? cloudFront cluster httpsListener? publicAlb? publicAlbWaf? vpc

Methods

addService

Constructors

constructor

Properties

Optional Readonly cfWaf

cfWaf?: WaCloudfrontWaf

WAF associated with CloudFront Distribution

Readonly cloudFront

cloudFront: WaDistribution

CloudFront distribution used in this construct

Readonly cluster

cluster: WaCluster

ECS cluster

Optional Readonly httpsListener

httpsListener?: ApplicationListener

Https Listener

Optional Readonly publicAlb

publicAlb?: WaPublicApplicationLoadBalancer

Publicly accessible Application Load Balancer

Optional Readonly publicAlbWaf

publicAlbWaf?: WaApiGatewayWaf

WAF associated with Public ALB

Readonly vpc

vpc: WaVpc

VPC used to launch resources used in this construct

Methods

addService

  • Adds a Microservice as a new ECS Service to the cluster It will have its own TaskDefinition and will run as a task managed by ECS Service

    Parameters

    Returns Service

Settings

Member Visibility

Theme

Generated using TypeDoc