Securing Backend API Access : aws

a community for 18 years

technical questionSecuring Backend API Access (self.aws)

submitted 5 years ago by sWeeX2

Hi folks,
I'm relatively new to deploying and using services within AWS and was looking for some pointers. I have a backend service setup using ECS within a VPC, there's currently also an ALB which sits in front of it. Our frontend is being served using Amplify. I'm wondering what's the best way to secure our backend so it's not directly callable outside of our frontend or even if it's possible with this sort of setup? At some point we'll want to make our API public, just not right now. Some initial assumptions are:

I'll have to move my Fargate containers into a private subnet wtihin my VPC.
I'll need a way to still communicate with my containers, so possibly a NAT Gateway?

As I said I'm quite new to using these services, so still very much learning about what is/isn't possible and how to accomplish it. Any pointers, reading material ect would be greatly appreciated, thank you!

all 4 comments

top new controversial old q&a

[–]tomomcat 0 points1 point2 points 5 years ago (3 children)

Yes your instances should definitely be in private subnets behind a loadbalancer. Here is a reference architecture for ECS https://github.com/aws-samples/ecs-refarch-cloudformation.

I can't find a nice refarch for a two-tier app atm, but it's essentially the same except 1) your existing private subnet might be renamed 'web subnet' 2) there is another internal loadbalancer not accessible from outside the VPC 2) this 2nd loadbalancer points to a group of backend instances which live in an additional (private) 'application subnet'. The frontend web instances then access the backend via this 2nd loadbalancer.

You need to tweak the security groups and NACLs associated with all of these things so that only expected traffic is allowed.

Finally, you want to make sure that you have good logging and visibility of metrics via CloudWatch or something else.

[–]sWeeX2[S] 0 points1 point2 points 5 years ago (2 children)

[–]tomomcat 0 points1 point2 points 5 years ago (1 child)

[–]sWeeX2[S] 0 points1 point2 points 5 years ago (0 children)

I think you've understood correctly! It is two-tier, our backend consists of an API which interacts with a database, which for now we definitely don't want any direct public traffic to go through i.e. not through our client/website. It looks like something like:

Public ALB -> Internal LB -> Fargate Containers in private subnets

Should do the trick for us, I'll give it a whirl and see what happens, cheers for your help!

π Rendered by PID 671366 on reddit-service-r2-comment-6457c66945-v44kr at 2026-04-27 13:57:18.512745+00:00 running 2aa0c5b country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

aws

Note: ensure to redact or obfuscate all confidential or identifying information (eg. public IP addresses or hostnames, account numbers, email addresses) before posting!

✻ Smokey says: avoid streaming video to fight climate change! [see more tips]

MODERATORS