Livoa LogoLivoa
INTERNET

Route53 DNS

interpres.io (Public Hosted Zone)

*.in.interpres.io → ACM Wildcard Cert

WAF

Rules: Geo-block, Rate Limit, Bot Detection

Logs → CloudWatch (30-day retention)

VPC: 10.90.0.0/16


Region: ap-south-1

AZ: ap-south-1a
AZ: ap-south-1b
Public Subnet


10.90.1.0/24

Public Subnet


10.90.2.0/24

NAT Gateway
NAT Gateway
ALB (HTTPS)


SSL Termination

ALB (HTTPS)


SSL Termination

Private Subnet


10.90.11.0/24

Private Subnet


10.90.12.0/24

EKS Cluster


(in-prod)

Node Group: m5.2xlarge (2-6 nodes)

Microservices:

• api-service

• app-service

• auth-service

• pipeline-*

• ai-chat

• secret-service

• worker-service

EKS Cluster


(in-prod)

Add-ons:

• ALB Controller

• External-DNS

• Cluster Auto.

• Prometheus

• Grafana

• Velero (opt)

• Vault (HA)

Database Subnet


10.90.21.0/24

Database Subnet


10.90.22.0/24

RDS Aurora Main Cluster (Writer)


PostgreSQL 14.17

db.r5.2xlarge

RDS Aurora Main Cluster (Reader)
RDS Aurora Fusion Cluster (Writer)


PostgreSQL 14.17

db.t3.medium

RDS Aurora Fusion Cluster (Reader)

EXTERNAL SERVICES

S3 Buckets


• prd-in-app-data

• prd-in-doc-files

• prd-in-media

• prd-in-backup

• prd-in-velero

KMS Keys


• EKS encryption

• RDS encryption

• S3 encryption

• Vault unseal

Secrets Manager


• DB passwords

• Service creds

• API tokens

CloudWatch


• Logs

• Metrics

• Alarms

SECURITY LAYERS
Network Security


• Security Groups

• NACLs (DB subnets)

• VPC Flow Logs

• Private subnets

Encryption


• KMS encryption

• SSL/TLS everywhere

• Certificate Manager

• RDS encryption

Access Control


• IRSA roles

• K8s RBAC

• IAM policies

• Service accounts

daigram

by subh

0
0 uses