.NET on AWS Blog
Bob’s Used Books: Build a .NET Serverless Application on AWS – Part 2: Architecture
Introduction
This post covers the architecture and components of a modern .NET serverless application, demonstrating implementation patterns for authentication, data storage, image processing, and API management that showcase the optimization benefits of this architecture. AWS serverless architecture provides improved scalability, cost-efficiency, and reduced operational overhead. Part 1 of this series focused on initial setup and deployment.
Overview
The use case for Bob’s Used Books Serverless is a Book Inventory API. The Book Inventory service implements the following patterns through a working solution. The service integrates:
- Book Management: Adding, updating, and searching book information
- Image Processing: Automated validation and publishing book cover images
- Access Control: Role-based permissions for inventory modifications
- Secure Storage: Scalable data and file management
This service demonstrates how serverless architecture transforms monolithic applications into flexible, scalable cloud solutions. The complete source code for bobs-used-bookstore-serverless is available for reference.
Application Architecture
The Book Inventory service architecture has a modern serverless design using AWS services to create a scalable and secure solution.

Figure 1: Book Inventory Service Architecture diagram
- Search books API is available to both guest and authenticated users and retrieves data from Amazon DynamoDB. It checks image availability in published Amazon S3 bucket and refers to default image when book image is unavailable.
- Add Book API validates user permission with Amazon Verified Permissions (AVP). Only Authorized users can Add Book, Update Book and Request Pre-signed URL. Amazon API Gateway uses Lambda Authorizer to authorize users.
- Amazon DynamoDB stores validated book information.
- To upload new images, request pre-signed URL of the prefix for book id. This pre-signed URL supports multiple image upload.
- Amazon EventBridge rules, monitor S3 upload events and triggers image validation workflow when a new Image is uploaded.
- AWS Step functions workflow orchestrates image validation with Amazon Rekognition service
- Amazon CloudFront provides resized safe images from published image store to frontend applications.
- Update Book API follows identical authorization and validation flow as Add Book API.
Core Components
These are the core components of the Book/Inventory service:
- API Management (Amazon API Gateway): Directs all client requests to AWS Lambda Functions when users search books, update inventory, or upload images.
- Authorization and Authentication (API Gateway Lambda authorizer, Amazon Verified Permissions): Controls API access based on user permissions. Only Customer or Admin group users can modify book inventory based on defined access rules.
- Business Logic Processing (AWS Lambda): Processes application code for book searches, inventory updates, and creating secure URLs for image uploads. Lambda functions scale automatically to handle varying numbers of requests.
- Data Storage (Amazon DynamoDB): Replaces traditional SQL databases with a fully managed NoSQL database. It stores all book information like titles, authors, ISBN numbers and automatically handles scaling as data grows.
- Image Management (Amazon Simple Storage Service (Amazon S3)): Stores book cover images securely in two buckets: one for newly uploaded images awaiting validation, and another for approved public images.
- Image Validation (AWS Step Functions, Amazon Rekognition, Amazon EventBridge): Orchestrates image validation through a Step Functions workflow. When an image is uploaded, the workflow invokes Amazon Rekognition service to analyze content and quality automatically. This serverless workflow replaces manual review processes and publishes only appropriate images.
- Content Delivery (Amazon CloudFront): Distributes book cover images globally through a Content Delivery Network (CDN). CloudFront serves images from locations closer to users, caches frequently accessed content, provides additional security features, and reduces overall data transfer costs compared to direct Amazon S3 access.
This solution provides two workflows:
- Book Inventory API: Users access Book Inventory APIs. API gateway verifies user identity and user’s permission using API Gateway Lambda Authorizer. If the user can perform the action, Lambda functions perform business validations and store data in Amazon DynamoDB table.
- Image Processing: Amazon S3, stores book cover page images and triggers image validation Step Functions workflow on new image upload. This workflow uses Amazon Rekognition service to review content quality and publishes the content through Amazon CloudFront.
This design provides automatic scaling, reduced operational work and pay-per-use cost benefits. These improvements demonstrate the value of moving from traditional .NET applications to serverless solutions.
API Authentication and Authorization with Amazon Cognito
Security forms the foundation of this architecture. Authentication and authorization are critical components of any application, allowing only authorized users to perform specific activities. This architecture supports both public and protected API access patterns.
Amazon Cognito serves as the backbone of authentication, providing serverless identity management, user sign-up, sign-in, and access control. The AuthenticationStack, deployed in the first part of this series, provisions the necessary resources for user management.
Security Components
The authentication and authorization system consists of:
- User Pool: A user directory in Amazon Cognito that manages registered users.
- User Groups: A way to categorize users with specific roles. Bob’s Used Books application uses Admin and Customer groups to differentiate API access levels.
- Authentication Tokens: JSON Web Tokens (JWTs) generated by Amazon Cognito for valid users.
- ID token – Identifies the user profile, including group membership.
- Access Token – Authorizes access to protected resources like APIs.
- Refresh Token – Provides new token generation without re-authentication.
- Amazon Verified Permissions: A fully managed authorization service where policies are deployed for each user pool group.
- Custom Lambda Authorizer: A Lambda function triggered to authorize user requests from API Gateway.
Authorization Flow
- The client sends an API request with access token
- API Gateway triggers Custom Lambda Authorizer
- The Lambda Authorizer uses Amazon Verified Permissions to validate the access token and check if the request matches existing policies
- Authorized requests proceed to the Lambda function
Understanding Public and Protected APIs
This architecture demonstrates two types of API access patterns through the Book Inventory service.
- The Search Book API provides unrestricted access for book inventory searches. This API bypasses the Lambda Authorizer for public endpoint access.
- Book Inventory modification operations for book additions and updates, require strict access controls through Custom Lambda Authorizer. Each request requires a valid authentication token, with access permissions based on user group membership.
By implementing both access pattern, architecture serves as a blueprint for building secure APIs. It shows how to maintain open access where needed and protecting sensitive operations through appropriate authentication and authorization controls.
Data Storage
Amazon DynamoDB is a fully managed, serverless NoSQL database service that automatically scales to match your application needs. It eliminates operational overhead with no servers to manage, no patches to apply, and no maintenance windows required. With pay-per-request pricing, you only pay for the actual database operations your application performs.
The Book Inventory service uses DynamoDB for the following key reasons:
- Automatic scaling to handle varying workloads
- Built-in high availability and data durability
- Consistent single-digit millisecond performance
- Integrated security features including encryption at rest
- Cost optimization through pay-per-request pricing
Data Storage Evolution: From SQL Server to DynamoDB
The original Bob’s Used Books application used Microsoft SQL Server, a relational database. The shift to NoSQL required careful consideration for data modeling and access patterns, as DynamoDB performs optimally when accessing data through partition keys (or partition and sort key combinations) and Global Secondary Indexes (GSIs).
Data Modeling for Amazon DynamoDB
Data Modeling in Amazon DynamoDB is the process of designing and organizing data structures within DynamoDB. The BookInventory DynamoDB table design is based on existing data access patterns and the transition from SQL to NoSQL constraints.

Figure 2: Book Inventory Table
Global secondary index
The BookSearch feature requires book searches with pagination and filter criteria. BookId as the Partition Key limits searches to single items. A Global Secondary Index (GSI) improves search capabilities across all books in the table. GSI1 uses LastUpdated as the Partition Key and BookId as the Sort Key for efficient queries.

Figure 3: Book Inventory table – GSI
This model provides significant operational and performance benefits:
- Fast, consistent performance for direct book lookups using partition keys
- Efficient searches across the inventory using GSIs
- Automatic scaling based on actual throughput demands
- Pay-per-request pricing for database operations
- Built-in high availability across multiple Availability Zones
- Integrated backup and recovery capabilities
The Book Inventory service manages book cover images too. Image management section details the capabilities of Image upload and validation.
Image Management
The Book Inventory service requires secure handling of book cover images. Amazon S3 provides the storage foundation, but the frontend application accessing Amazon S3 directly poses security risks. The solution addresses this through pre-signed URLs.
Image Upload with pre-signed URL
Amazon S3 provides scalable, cost-effective storage. IAM credentials manage backend Amazon S3 access. Pre-signed URLs provide temporary, authenticated access to S3 objects with defined expiration times, without AWS credential exposure. To upload book cover images, the frontend application requests a pre-signed URL from the API. A Lambda function generates a pre-signed URL with PUT permission and a short expiration time. The frontend then uploads the image to Amazon S3. Similarly, for viewing book cover images, the frontend requests a pre-signed URL with GET permission and retrieves the image directly from S3.
This implementation enhances security through unexposed Amazon S3 credentials, provides fine-grained control via expiration times and specific permissions.
Asynchronous Image Validation
When users upload book cover images to the Book Inventory service, each image requires validation before publishing. Uploaded images need validation for several reasons: they may vary in size, contain inappropriate content, or include sensitive information. Synchronous image validation makes users wait for the entire validation process to complete to receive API response. Asynchronous validation provides immediate upload confirmation while processing validations independently.

Figure 4: Image validation flow
A new image upload to the source Amazon S3 bucket starts the validation process. Amazon EventBridge rules monitor the source Amazon S3 bucket through the default event bus and trigger AWS Step Functions workflow upon S3 object creation events. AWS Step Functions orchestrates the validation process, with Amazon Rekognition service for image content analysis.
Amazon Rekognition service checks each image for inappropriate content including explicit nudity, violence, hate symbols, drugs, tobacco, alcohol, and gambling. Amazon Rekognition service includes additional options for custom image validations.
For valid images, the process resizes and transfers them to the published image Amazon S3 bucket. For failed validations, the process removes images from the validation image Amazon S3 bucket and records rejection reason in Amazon CloudWatch.
Amazon CloudFront to Publish Image
The frontend application requires validated images from the published image store, but accessing images directly from Amazon S3 bucket creates high load on the service. This leads to potential issues with scalability, security, performance and cost, and requires complex Amazon S3 bucket policies. Amazon CloudFront service stores images at the edge locations for distribution. This approach improves performance, scalability, cost efficiency and eliminate direct bucket access.
Conclusion
Bob’s Used Books Serverless demonstrates the power of modernizing .NET applications using AWS serverless services. Through this architecture deep dive, you learned key aspects of the serverless solution components. Each component, from authentication to content delivery, plays a role in the modern solution through efficient data management, asynchronous processes and security integration patterns. The serverless architectural approach enhances application scalability, cost optimization, and shifts focus to business logic rather than infrastructure management. Explore the implementation details at bobs-used-bookstore-serverless.
Part 3 of this series will dive deep into the infrastructure-as-code implementation using AWS CDK, with insights on how to define, deploy, and manage serverless infrastructures programmatically.