About This Architecture

Multi-AZ BFF Lambda VPC architecture with Route 53, CloudFront, WAF, and API Gateway routing requests through Cognito authentication to Lambda functions distributed across two availability zones. BFF Lambda functions orchestrate calls to SVoC Wrapper and Loyalty Wrapper Lambdas, which access DynamoDB via VPC endpoints and external services through PrivateLink, while async writes flow through SQS FIFO. VPC endpoints for DynamoDB and PrivateLink ensure private connectivity without internet exposure, with KMS encryption, CloudWatch monitoring, and X-Ray tracing providing security and observability across both AZ-1 and AZ-2. This pattern demonstrates zero-trust network design, least-privilege security groups, and serverless composition for resilient multi-tenant backends. Fork and customize this diagram on Diagrams.so to adapt subnet ranges, add additional wrapper functions, or integrate alternative managed services.

People also ask

How do I design a multi-AZ serverless backend-for-frontend architecture on AWS with VPC isolation and private connectivity to external services?

This diagram shows a production-grade BFF pattern spanning two availability zones with Lambda functions in private subnets accessing DynamoDB and external services via VPC endpoints and PrivateLink, eliminating internet exposure. API Gateway with Cognito authentication routes requests through CloudFront and WAF, while security groups enforce least-privilege access and KMS encryption protects data