AWS - VPC Limits - Efficient Infrastructure

1
votes

For my fairly modest web application, I seem to be hitting some of the AWS VPC limits, which made wonder if I'm maybe structuring things incorrectly:

  • I have an application for which we have three environments: Staging, QA, Production. So I have a VPC for each.

  • These three VPCs exist in the US-East-1 Region

  • Each Application is available in two availability zones (us-east-1b & us-east-1c)

An example of a limit I'm hitting is for the following circumstance:

  • I have Public and Private facing subnets. And because I'm using two Availability Zones, I have Public and Private Subnets for each (4 subnets in total, per VPC)

  • The Private Subnets need internet access, so their respective Route Tables have entries for NAT Gateways.

So in the end, this means each Private Subnet has a NAT Gateway, and therefore each NAT Gateway has an Elastic IP. And because I have three environments, and two Availability Zones for each, that's already 6 Elastic IP addresses, and the Elastic IP limit per Region is 5.

So obviously, I can request an increase, but it made me wonder if I'm doing something wrong. Could some of these resources in fact share NAT Gateways, or Elastic IPs, or something to that effect?

1
amazon-web-servicesamazon-ec2
Perhaps a silly question but why not have all three applications in the same VPC?Anand
@Anand I suppose that's possible, however they share zero resources so it seemed more logical to have them in separate VPCs. Also keep in mind, the limit i'm experiencing is per Region, not per VPC. So even if they were all in the same VPC, I'd still have the same problem. Unless you're suggesting they use the same NAT Gateway when in the same VPC?djt
yes I see VPC as my own cloud so I'm not sure I would need more than one. And yes, share the NAT Gateway plus whether they share the same resources or not, I see no reason not to coexist in a VPC. I'm new to this so please don't take my opinion as authoritative, it's more like I'm learning with you :)Anand
@Anand I see your point. From the research I've done, I believe that's an option. I think having separate VPCs is also quite common -- ie. so there's no chance of Staging / Dev work accidentally accessing your Production components or vice-versa. I believe some companies even do separate consolidated billing accounts for each Environment (which is overkill for my situation). See charity.wtf/2016/03/23/aws-networking-environments-and-youdjt
@DusanBajic It's not a NAT instance, it's a managed AWS NAT Gateway and that requires an EIP.jarmod

1 Answers

3
votes

You're not doing anything wrong, but you could be doing some things better.

Since you have 3 separated environments, you could separate the environments into separated AWS accounts.

For example, it's not uncommon to have Development in one AWS account, and Staging + Production in another AWS account. This has the added benefit of separating resources, identities, etc. for security purposes and avoids "oh $@&!, I just deleted the production stack by mistake".