Yet another CI/CD pipeline for containerized API application to AWS! > High-Level Design > AWS Architecture

AWS Architecture

While the AWSDSC-XUT team will focus on building advanced features, you are going to concentrate on optimizing the core infrastructure for seamless operations and scalability. With a minimal working version of the AWSome Books already in place, your goal is to recommend and deploy the essential AWS services needed to efficiently run a containerized RESTful API application at scale.

Before we dive into the AWSome Books AWS architecture, let’s first examine the key AWS services that can effortlessly support a containerized RESTful API application.

AWS Services

AWS RDS

0001

AWS RDS simplifies the setup, operation, and scaling of relational databases in the cloud, offering cost-efficient, resizable capacity while handling common administrative tasks.

The AWSome Books project leverages PostgreSQL as its relational database, fully supported by Amazon RDS. By enabling Multi-AZ instance deployments, AWS RDS ensures high availability and automatic failover, offering robust support and resilience for your database with a standby instance in another availability zone.

AWS Secrets Manager

AWS Secrets Manager securely encrypts, stores, and retrieves credentials for databases and services, eliminating the need to hardcode them in your applications. By calling AWS Secrets Manager when needed, you can enhance security, automate secret rotation, and manage access, protecting your IT resources and data effectively.

0002

With AWS RDS’s built-in support for AWS Secrets Manager, you can keep your AWSome Books codebase clean and secure — no more hardcoding database credentials!

AWS ECR

AWS ECR is a fully managed container registry that offers high-performance image hosting, allowing you to seamlessly deploy your application images and artifacts wherever you need, with reliability and speed.

0003

The application will utilize AWS ECR private registry to securely store and manage container images used within the AWSDSC-XUT team.

AWS ECS

AWS ECS is a fully managed container orchestration service that simplifies deploying, managing, and scaling containerized applications. AWS ECS seamlessly integrates with AWS ECR and Docker, freeing your team to concentrate on creating powerful applications while it handles the heavy lifting of infrastructure management.

0004

AWSome Books might need AWS ECS Fargate to run containers without managing servers or EC2 instances. It eliminates the need to provision, configure, or scale clusters, freeing you from choosing server types, scaling decisions, and optimizing cluster packing. Simply focus on your containers, and Fargate handles the rest.

AWS Auto Scaling

AWS offers a range of services to help you scale your application seamlessly. AWS Auto Scaling ensures your application scales efficiently and is included at no extra cost beyond the standard fees for other AWS resources.

0005

AWS Auto Scaling Group helps you ensure that you have the correct number of AWS ECS Fargate tasks available to handle the load for your application.

AWS Application Load Balancer

The AWS Application Load Balancer (ALB) is a fully managed load balancing service that automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses, within one or more Availability Zones. It is designed to handle advanced routing and supports HTTP/HTTPS traffic, WebSocket, and serverless functions. ALB offers features like path-based and host-based routing, SSL termination, Web Application Firewall (WAF) integration, and monitoring through Amazon CloudWatch, making it ideal for modern web applications and microservices architectures.

0006

The AWS ALB might route the incoming traffics to AWS ECS Fargate tasks within the target group.

AWS API Gateway

AWS API Gateway lets you easily create and deploy APIs at any scale. You can build secure and scalable APIs that connect with AWS services, other web services, or data in the AWS Cloud, and make them available for your own apps or third-party developers.

0007

AWS API Gateway provides multiple API options, including REST APIs, HTTP APIs, and WebSocket APIs. While AWSome Books can utilize either REST APIs or HTTP APIs, it may benefit from the advanced features that come with the REST APIs type offered by AWS API Gateway.

Discover the key differences between REST APIs and HTTP APIs here.

AWS Network Load Balancer

The AWS Network Load Balancer (NLB) is a high-performance service designed to handle millions of requests per second with ultra-low latency. Operating at Layer 4 of the OSI model, it balances TCP, UDP, and TLS traffic across EC2 instances, containers, or IP addresses within multiple Availability Zones. NLB supports static IP addresses, preserves source IPs, and integrates seamlessly with AWS Global Accelerator, making it ideal for latency-sensitive applications and real-time communication.

0008

The AWSDSC-XUT team aims to make the AWS ALB internal and accessible only through the AWS API Gateway with REST APIs type. REST APIs type, however, lacks built-in support for direct integration with an internal ALB. To solve this, you set up a VPC Link in API Gateway and use an AWS NLB as a pass-through service to seamlessly proxy requests from the VPC Link to the internal ALB.

AWS Certificate Manager

AWS Certificate Manager (ACM) helps you to provision, manage, and renew publicly trusted TLS certificates on AWS based websites.

0009

AWS Certificate Manager integrates seamlessly with AWS API Gateway to secure user connections over the public Internet, ensuring robust encryption and enhanced security for your APIs.

AWS Cognito

AWS Cognito simplifies user authentication and authorization for your web and mobile apps. With user pools, you can effortlessly add secure sign-up and sign-in capabilities, while identity pools (federated identities) provide temporary credentials for users to access specific AWS resources—whether they are signed in or browsing anonymously."

00010

AWS CodeDeploy

AWS CodeDeploy is a deployment service that enables developers to automate the deployment of applications to instances and to update the applications as required.

00011

The Security of Connections

Without public subnets and Internet Gateway settings, the AWSDSC-XUT team intends to maintain the VPC as nearly private as possible. However, as previously indicated, you may still access your private resources by configuring an AWS API Gateway to enable communication over AWS’s private network via a VPC Link. Moreover, your private resources can securely access public AWS services over AWS’s private network by using the necessary VPC Endpoints.

You can set up a bastion host in a public subnet to securely access your private resources when necessary.

You may be wondering about the security of connections from users to the AWS API Gateway and between AWS Services. Take a look at the figure below for a detailed view:

00020

If you need complete control over the view of the image, check here.

In summary:

connections from users to AWS API Gateway are encrypted over the Internet.
communications between AWS Services can be either encrypted or unencrypted over AWS’s private network.

For the highest level of security, it is recommended to encrypt all connections.

AWS Architecture

You might build the following AWS architecture for the AWSome Books application, including CI/CD pipelines and other technologies:

AWS architecture diagram

If you need complete control over the view of the image, check here.

You should not be surprised by the architecture where all subnets are private and no Internet Gateway configurations. We have covered this in detail throughout this section already.