Use Existing Amazon VPC
Learn how to deploy a Webiny project into an existing Amazon Virtual Private Cloud (Amazon VPC).
Webiny Enterprise license is required to use this feature.
This feature is available since Webiny v5.34.6.
- how to deploy a Webiny project into an existing Amazon Virtual Private Cloud (Amazon VPC)
Overview
When a Webiny project is deployed in production mode, it is deployed into a new Amazon Virtual Private Cloud (Amazon VPC) , with already configured public and private subnets, security groups, and so on.And although this may work for multiple types of users and projects, when it comes to enterprise organizations, often times a fully configured Amazon VPC is already in place and there’s no need to create a new one. In those cases, deploying a Webiny project into the existing Amazon VPC makes more sense.
In this article, we describe how enterprise organizations can deploy their Webiny project into an existing Amazon VPC.
When it comes to the code, this article tries to keep as simple as possible. For a more advanced example, one which demonstrates how to introduce better code organization and make the code more maintainable, please check out this advanced usage example .
Configuration
In order to deploy Webiny into an existing Amazon VPC, we need to apply four configuration changes to four default project applications that are included in every Webiny project:
- Core (
apps/core
) - API (
apps/api
) - Admin (
apps/admin
) - Website (
apps/website
)
For all applications, changes will be applied in application’s respective webiny.application.ts
file. Note that all the changes are essentially the same: we use the vpc.existingVpc
option to pass relevant existing Amazon VPC-related resources: private subnet and security group IDs.
Let’s take a look at the changes that need to be made.
elasticSearch
flag (set to true
) in Core and API applications’ webiny.application.ts
configuration files. Projects that are using the Amazon DynamoDB setup don’t have this parameter set.
Changing VPC settings on an existing Amazon ElasticSearch cluster may cause a complete redeployment, causing all data to be lost! Check out the Launching your Amazon OpenSearch Service domains within a VPC article to learn more.
1. Core (apps/core
)
The Core application’s webiny.application.ts
file should look like the following:
import { createCoreApp } from "@webiny/serverless-cms-aws";import { createCoreApp } from "@webiny/serverless-cms-aws/enterprise";
const ELASTICSEARCH_PRIVATE_SUBNETS = ["private-subnet-id-1", "private-subnet-id-2"];const ELASTICSEARCH_SECURITY_GROUPS = ["security-group-id-1"];
const LAMBDA_FUNCTIONS_PRIVATE_SUBNETS = ["private-subnet-id-1", "private-subnet-id-2"];const LAMBDA_FUNCTIONS_SECURITY_GROUPS = ["security-group-id-1"];
export default createCoreApp({ pulumiResourceNamePrefix: "wby-", elasticSearch: true, // Only present in Amazon DynamoDB + Amazon ElasticSearch database setup. vpc: { useExistingVpc: { elasticSearchDomainVpcConfig: { subnetIds: ELASTICSEARCH_PRIVATE_SUBNETS, securityGroupIds: ELASTICSEARCH_SECURITY_GROUPS }, lambdaFunctionsVpcConfig: { subnetIds: LAMBDA_FUNCTIONS_PRIVATE_SUBNETS, securityGroupIds: LAMBDA_FUNCTIONS_SECURITY_GROUPS } } }});
Note that, if the Webiny project is being deployed into the production environment, two private subnets need to specified via ELASTICSEARCH_PRIVATE_SUBNETS
and LAMBDA_FUNCTIONS_PRIVATE_SUBNETS
arrays. This is because the ElasticSearch cluster that Webiny deploys relies on two instances that are deployed into two different private subnets. For environments other than production, specifying a single private subnet will suffice.
Production deployment means deploying your Webiny project into prod
environment, via the webiny deploy
command: yarn webiny deploy --env prod
.
More on the development and production modes can be found here: https://www.webiny.com/docs/architecture/deployment-modes/introduction
In the above code, we can also utilize the process.env.WEBINY_ENV
environment variable in order to determine into
which environment a Webiny project is being deployed. This can enable us to specify private subnets conditionally,
using different values depending on the environment.
2. API (apps/api
)
The API application’s webiny.application.ts
file should look like the following:
import { createApiApp } from "@webiny/serverless-cms-aws";import { createApiApp } from "@webiny/serverless-cms-aws/enterprise";
const LAMBDA_FUNCTIONS_PRIVATE_SUBNETS = ["private-subnet-id-1", "private-subnet-id-2"];const LAMBDA_FUNCTIONS_SECURITY_GROUPS = ["security-group-id-1"];
export default createApiApp({ pulumiResourceNamePrefix: "wby-", elasticSearch: true, // Only present in Amazon DynamoDB + Amazon ElasticSearch database setup. vpc: { useExistingVpc: { lambdaFunctionsVpcConfig: { subnetIds: LAMBDA_FUNCTIONS_PRIVATE_SUBNETS, securityGroupIds: LAMBDA_FUNCTIONS_SECURITY_GROUPS } } }});
As we can see, in this configuration file we’re providing the necessary VPC-related parameters for AWS Lambda functions that the application deploys.
3. Admin (apps/admin
)
The Admin application’s webiny.application.ts
file should look like the following:
import { createAdminApp } from "@webiny/serverless-cms-aws";import { createAdminApp } from "@webiny/serverless-cms-aws/enterprise";
export default createAdminApp({ pulumiResourceNamePrefix: "wby-"});
In this config, no VPC-related parameters need to be specified. Essentially it’s the same config that users have when they create a brand new Webiny project, except this time the createAdminApp
function is imported from the enterprise
folder.
4. Website (apps/website
)
The Website application’s webiny.application.ts
file should look like the following:
import { createWebsiteApp } from "@webiny/serverless-cms-aws";import { createWebsiteApp } from "@webiny/serverless-cms-aws/enterprise";
const LAMBDA_FUNCTIONS_PRIVATE_SUBNETS = ["private-subnet-id-1", "private-subnet-id-2"];const LAMBDA_FUNCTIONS_SECURITY_GROUPS = ["security-group-id-1"];
export default createWebsiteApp({ pulumiResourceNamePrefix: "wby-", vpc: { useExistingVpc: { lambdaFunctionsVpcConfig: { subnetIds: LAMBDA_FUNCTIONS_PRIVATE_SUBNETS, securityGroupIds: LAMBDA_FUNCTIONS_SECURITY_GROUPS } } }});
Like with the API project application, again, in this configuration file we’re providing the necessary VPC-related parameters for AWS Lambda functions that the project application deploys.
Testing
Once the above changes have been applied, we’re ready to do a test deployment, which can be done via thewebiny deploy
command:yarn webiny deploy --env prod
At the end of the deployment process, you should receive relevant URLs in the terminal, where the installation process can be completed.
For more information on installing Webiny, check out the Install Webiny article.
Additional Notes
Internet Gateway / NAT Gateway Deployment
Note that for a Webiny project to work as expected, an Amazon VPC must have an Internet and NAT gateways deployed. This is because access to public internet is required on a couple of occasions:
- Amazon Cognito - Webiny’s application code interacts with Amazon Cognito via AWS SDK. May not be needed if the organization doesn’t plan to rely on Amazon Cognito as their identity provider.
- Amazon CloudFront - Webiny’s application code interacts with Amazon CloudFront via AWS SDK
- Webiny Control Panel (WCP) - Webiny Control Panel (WCP)-linked Webiny projects also frequently interact with app’s public HTTP API (
api.webiny.com
) - Webiny’s Prerendering Service - for website performance reasons, whenever a user publishes a page created with Webiny’s Page Builder application, behind the scenes, an AWS Lambda function is triggered, which issues HTTP requests to published page’s URL (a public CloudFront URL). May not be needed if the organization doesn’t plan to use the Page Builder application.
VPC Endpoints
Users can use Amazon VPC endpoints in order to further secure communication between different services a Webiny project is relying on. At the moment, this is possible for:
- DynamoDB (gateway)
- S3 (gateway)
- SQS (interface)
- EventBridge (interface)
Note that VPC endpoints are configured within the provided existing Amazon VPC. This is mainly because organizations have full control of their environment, and are able to do this.
In case Amazon VPC endpoints need to be created via a Webiny project and its cloud infrastructure code, this can be achieved with a couple of minor additions in the Core application’s webiny.application.ts
configuration file.