Infrastructure > Deployment Modes

Production Mode

Learn how cloud infrastructure resources are deployed in production mode using a custom VPC.

WHAT YOU'LL LEARN

How resources are deployed in a custom VPC with private subnets
What network components enable internet access from private subnets
How multi-AZ deployment improves availability and fault tolerance

Overview

Production mode deploys your infrastructure into a custom VPC with a combination of public and private subnets across three availability zones. This configuration improves security by isolating mission-critical resources from direct public internet access while maintaining high availability.

Lambda functions and databases are deployed in private subnets and access the internet through a NAT Gateway in the public subnet.

Infrastructure

VPCs require understanding of AWS networking concepts including regions, availability zones, subnets, and gateways. See AWS VPC documentation external link for background information.

Production Mode Infrastructure

(click to enlarge)

The custom VPC consists of one public subnet and three private subnets across three availability zones, following AWS best practices for high availability.

Key Components

Public Subnet: Contains the NAT Gateway F, which forwards internet-bound traffic from private subnets to the Internet Gateway G.Private Subnets: Host Lambda functions and Amazon OpenSearch Service H. These resources are not directly accessible from the public internet, improving security.NAT Gateway: Enables Lambda functions in private subnets to make outbound requests to internet-facing AWS services (DynamoDB I, S3 J, Cognito K) while preventing inbound access from the internet.

Internet Gateway: Provides internet connectivity for the NAT Gateway and routes responses back to resources in private subnets.

Multi-Availability Zone Deployment

Resources are deployed across three availability zones for high availability and fault tolerance. If one AZ experiences an outage, traffic automatically routes to resources in other AZs, keeping your application operational.

Amazon OpenSearch Service: Deployed across three AZs with three data nodes (one per AZ), ensuring data availability even if an entire AZ fails. This follows AWS best practices for production workloads.

Lambda Functions: AWS automatically distributes Lambda executions across AZs, providing built-in redundancy.

Three-AZ deployments incur additional costs because resources are replicated across zones. Amazon OpenSearch Service runs three data nodes instead of one, tripling the compute and storage costs for the search cluster.

Security and Network Isolation

Private subnets isolate databases and Lambda functions from direct public internet access, reducing the attack surface. Resources can only be accessed through the application’s API endpoints (CloudFront and API Gateway), which are protected by authentication and authorization mechanisms.

Lambda functions in private subnets communicate with DynamoDB, S3, and Cognito over the public internet. For enhanced security, consider using VPC endpoints for DynamoDB external link to keep traffic within AWS’s network.

Customization

The production VPC configuration provides a solid foundation for most use cases, but your organization may require additional resources or different configurations. You can customize the VPC setup through Webiny’s infrastructure-as-code configuration files.