Simplify networking

[danielnaab]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8ef7bd1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

PR Review: Simplify networking

Summary

This PR simplifies the AWS networking infrastructure by consolidating from two NAT Gateways (one per AZ) to a single NAT Gateway, reducing both resource duplication and costs. Overall, this is a solid simplification that maintains functionality while improving cost-efficiency for the sandbox environment.

✅ Strengths

1. Cost Optimization: Reducing from 2 NAT Gateways to 1 will save ~$32/month (NAT Gateway costs ~$0.045/hour per gateway)
2. Reduced Complexity: Single route table for private subnets instead of two identical ones
3. Cleaner Naming: Removed the -v2 suffix workaround and simplified resource names
4. Code Clarity: Better comment at line 58 clarifying that public subnets are for "App Runner VPC connector and RDS"

📋 Considerations

1. High Availability Trade-off

• Current: Single NAT Gateway in publicSubnet1 (AZ 0)
• Impact: If AZ 0 fails, private subnets in both AZs lose internet connectivity
• Recommendation: This is acceptable for sandbox/dev environments, but document this limitation. For production, consider dual NAT Gateways for HA.

2. RDS Subnet Group Configuration

• RDS is configured with publiclyAccessible: false but placed in public subnets (lines 223, 242)
• This works (public subnet != public access), but is unconventional
• Consider: Moving RDS to private subnets for better security posture, though this would require the NAT Gateway for RDS outbound connectivity

3. Migration Path

• Removed lifecycle.createBeforeDestroy from VPC Connector (line 364 in current file)
• Changed vpcConnectorName from ${id}-vpc-conn-v2 to ${id}-vpc-connector
• Impact: This will destroy the old VPC connector before creating the new one, potentially causing brief service interruption
• Recommendation: Verify if this is intentional for sandbox or if you want zero-downtime deployment

4. Potential Cost Concern

• Single NAT Gateway means all traffic from both AZs crosses AZ boundaries for NAT
• Cross-AZ data transfer costs ~$0.01/GB
• For low-traffic sandbox, this is negligible; for production, evaluate traffic patterns

🔒 Security Review

✅ No security regressions identified:

• Private subnets still route through NAT (no direct internet exposure)
• Security groups unchanged
• RDS remains non-publicly accessible
• IAM roles and policies unchanged

🧪 Testing Recommendations

1. Verify App Runner can still access RDS after deployment
2. Confirm outbound internet connectivity from private subnets through single NAT
3. Validate that both private subnets in different AZs route correctly through the NAT in AZ 0
4. Test failover behavior if needed for your use case

📝 Minor Suggestions

1. Document the HA decision: Add a comment explaining why single NAT is acceptable for sandbox

   // Single NAT Gateway for sandbox cost optimization
   // Production environments should use NAT Gateway per AZ for high availability

2. Consider infrastructure tests: If not already present, add IaC tests to validate routing configuration

Verdict

✅ Approved - This is a well-executed simplification appropriate for sandbox environments. The changes are clean, reduce costs, and maintain functionality. Just ensure the high-availability trade-off is intentional and documented.

Estimated cost savings: ~$32/month (1 fewer NAT Gateway)

---

Review focused on: Infrastructure best practices, AWS networking, cost optimization, security, and availability considerations