LXD API: How to provision and manage containers from external app?

Hi guys, I need to provision and manage LXC containers living on a Clustered LXD setup.
Container creation and management based on input from an external APP.

What I have come up with so far is:

• Create a microservice to listen to requests from the APP.
• The APP would send a payload like {“command”: “Create Instance”, “Name”: “New Instance”, “Size”: “Medium”, “etc”: “etc”}
• A PHP script would take the “order” and convert it to LXD commands (there’s a PHP client for the LXD API) to be issued to the LXD API.

Question is: Where should the logic live?

1. A VPS dedicated only to connect to the LXD API.
2. A container living in one of the hosts.
3. Directly in one of the hosts.
4. On the APP server and interact with the LXD API directly from the APP code (no microservice).

How have you achieved this in the past?
Pitfalls?
Tips?

Thanks a lot!

As that layer is likely stateless, having it be a container you can deploy wherever you want probably makes sense. You could also have your app server talk directly to LXD but that would expose it to the entirety of the LXD API which would make any security issue in the app that much worse. Having those requests go through your intermediate piece of code does restrict the attack surface that one of your user could get access to.

Thank you @stgraber.

OK, so option 4 discarded, option 3 similarly represents some avoidable risks… so discarded too.

Is there any guide on how to “attach” a container as a member of the cluster it lives in?

And in both options 1 and 2: How do I tell the cluster no loads are to be run on that cluster member?