diff --git a/infrastructure/aws/cdk/app.py b/infrastructure/aws/cdk/app.py
index a2d5560..d2947fb 100644
--- a/infrastructure/aws/cdk/app.py
+++ b/infrastructure/aws/cdk/app.py
@@ -134,7 +134,34 @@ def __init__(  # noqa: C901
         """Define stack."""
         super().__init__(scope, id, **kwargs)
 
-        vpc = ec2.Vpc(self, f"{id}-vpc", nat_gateways=0)
+        # vpc = ec2.Vpc(self, f"{id}-vpc", nat_gateways=0)
+
+        vpc = ec2.Vpc(
+            self,
+            f"{id}-vpc",
+            subnet_configuration=[
+                ec2.SubnetConfiguration(
+                    name="ingress",
+                    cidr_mask=24,
+                    subnet_type=ec2.SubnetType.PUBLIC,
+                ),
+                ec2.SubnetConfiguration(
+                    name="application",
+                    cidr_mask=24,
+                    subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS,
+                ),
+                ec2.SubnetConfiguration(
+                    name="rds",
+                    cidr_mask=28,
+                    subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
+                ),
+            ],
+            nat_gateways=1,
+        )
+        print(
+            """The eoAPI stack use AWS NatGateway for the Raster service so it can reach the internet.
+This might incurs some cost (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html)."""
+        )
 
         interface_endpoints = [
             (
@@ -164,6 +191,8 @@ def __init__(  # noqa: C901
                 ec2.InstanceSize(eodb_settings.instance_size),
             ),
             database_name="postgres",
+            # should set the subnet to `PRIVATE_ISOLATED` but then we need either a bastion host to connect to the db
+            # or an API to ingest/delete data in the DB
             vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
             backup_retention=Duration.days(7),
             deletion_protection=eoapi_settings.stage.lower() == "production",
@@ -230,6 +259,9 @@ def __init__(  # noqa: C901
                     platform="linux/amd64",
                 ),
                 vpc=vpc,
+                vpc_subnets=ec2.SubnetSelection(
+                    subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS
+                ),
                 allow_public_subnet=True,
                 handler="handler.handler",
                 memory_size=eoraster_settings.memory,
@@ -251,6 +283,7 @@ def __init__(  # noqa: C901
             )
 
             db.connections.allow_from(eoraster_function, port_range=ec2.Port.tcp(5432))
+
             raster_api = apigw.HttpApi(
                 self,
                 f"{id}-raster-endpoint",
@@ -306,7 +339,6 @@ def __init__(  # noqa: C901
                     platform="linux/amd64",
                 ),
                 vpc=vpc,
-                allow_public_subnet=True,
                 handler="handler.handler",
                 memory_size=eostac_settings.memory,
                 timeout=Duration.seconds(eostac_settings.timeout),
@@ -361,6 +393,8 @@ def __init__(  # noqa: C901
 
             if "DB_MAX_CONN_SIZE" not in env:
                 env["DB_MAX_CONN_SIZE"] = "1"
+            if "DB_MIN_CONN_SIZE" not in env:
+                env["DB_MIN_CONN_SIZE"] = "1"
 
             eovector_function = aws_lambda.Function(
                 self,
@@ -375,7 +409,6 @@ def __init__(  # noqa: C901
                     platform="linux/amd64",
                 ),
                 vpc=vpc,
-                allow_public_subnet=True,
                 handler="handler.handler",
                 memory_size=eovector_settings.memory,
                 timeout=Duration.seconds(eovector_settings.timeout),