AWS Private Serverless API — Part 1
Recently, my mate asked for a favour to review a cloud architecture on AWS, for which is an internal simple API service to render staff roster detail with HTML format. API consumer will be TV displayers within private network and the staff roster detail is provided by third part RESTful APIs.
Here are the questions:
- Can we do Serverless architecture?
- Can we guarantee the data security for the application?
As a matter of fact, who doesn’t like Serverless if you can run applications on cloud without looking after virtual infrastructure resources?! Surely, the simple answer to first one is a big ‘YES’, but… what about the second one? Let’s look at the detail of security requirement:
- Staff roster data is highly confidential and must be transferred within private network.
- A simple API auth solution will do, such as API key or Basic Authentication.
- Data encryption in transit is a must (HTTPs sounds)
And this is the deployment environment Diagram:

- StaffRoster API — it provides staff roster data via RESTful API (JSON format)
- TV Displayer Group — it displays roster detail via a browser hosted on the TV set.
- StaffRosterDiaplay API — it provides the HTML rendering content on staff roster data via RESTful API (HTML format)
Now, we shall focus on where to place ‘StaffRosterDisplay API’ and what can be a suitable solution architecture.
Solution Architecture Design
Assumptions:
- Third party doesn’t want to provide ‘StaffRosterDisplay API’.
- Cloud-First is one of the core deployment principals.
- We don’t want to host ‘StaffRosterDisplay API’ on a VM within Corporate On-Prem Data Centre as it’s very costly to maintain a HA cluster.
- Corporate doesn’t use Docker container management platform and most of the services hosted on AWS are backed by EC2 instances.
With that, we can easily conclude that the service should be hosted on Corporate AWS Account and the next question is: What & How-To.
What can be a suitable solution architecture? Surely, the obvious answer is to do an Application Load Balancer with Auto Scaling Group managing a fleet of EC2 instance providing the API service. But wait… does it sound like overfit the need? We know that this definitely is a solid-proved option but it is not convincing to tackle a simple API service with a fleet of AWS EC2 resources, which also require people to look after.
With that, AWS PrivateLink service does sound in this scenario:

- AWS API Gateway supports private APIs.
- Private API Gateway can integrate VPC Endpoints to provide API services access to VPC private subnets and On-Prem subnets via DX Link.
How to implement ‘StaffRosterDisplay API’ with private API Gateway? I’ve created Github repo — staffrosterdisplay project for demo. Detailed instructions have been captured in project README.md file.
To accomplish the demo api service, I use a template engine on api service to wrap up html page content instead of calling third-party API services to get staff roster data.
Last but not least, this private API Gateway service is like a small but non-trivia piece of API Gateway puzzle. It make private Serverless API service feasible and easy to achieve.
Next Step, I shall utilise AWS Endpoint Service to create an API for staff roster data. With AWS PrivateLink service, we can provide the private API service from different AWS account, which builds up private API service provider and consumer pattern in multiple AWS accounts or VPCs.
Until then, stay tuned.
