AWS Architecture ‐ AWS Managed services (Single Region)

AWS Architecture

We zoom out from the previous diagram and put our VPC in a black box, not worrying about subnets and connections. In this architecture diagram, we see the flow of information of an API call between various AWS Managed services and our VPC hosting the Presentation, Application and Database layer.

• DNS Resolution is done via Nettigrity.
• Frontend of our application will be hosted on S3.
• Cloudfront for edge optimization. However, it's still in discussion whether we will incorporate it or not. Depends on scale of the application.
• Route 53 routes API calls to the appropriate API gateway in the region closest to user(More on this in another zoom out where we discuss more on a regional level)
• API gateway passes request to a Lambda function which acts as a producer for our MSK which will store the API calls in the queue to process.
• Microservices running on EKS will act as consumers which will consume the requests from MSK and process those requests.
• Database connection will be private and only microservices running in EKS will have access to our database.
• Both EKS cluster and Aurora Cluster can access S3 via the S3 VPC endpoint.
• Both EKS containers and Aurora can access public internet via the Internet gateway. They cannot directly access internet gateway but their internet requests will be routed to a NAT gateway hosted on the Public Subnet, which will in turn forward those requests to the internet gateway.
• Public Subnet also acts as a bastion host for a secure SSH connection to private subnets in order to troubleshoot any issues on private subnets.
• **Hence it's important to have proper Security measures for who can access our public subnets. Set up proper Security Groups and NACLs to limit access. Incoming requests only from Saayam VPN should be allowed ideally.