Cloud Native

This architecture reflects my current technical acumen and business philosophies:

• Customer is most important person in the room
• Do more with less
• Secure by design
• Learn & apply
• Follow the data
• Simplicity accelerates

I use it within my own projects — and as a baseline for related consulting work.

It’s an ideal — secure, performant and modular — platform for delivering:

• Single-page applications (Angular, React, etc.)
• Multi-page/traditional apps (Django, Rails, Tomcat, etc.)
• Static and dynamic websites, ecommerce sites, etc.
• Media assets (streaming, live, etc.)

Inspired — and perpetually evolving — from AWS reference architectures and cloud native best-practices:

• Containers
• Microservices
• Continuous Delivery
• DevOps

And continuously validated against the AWS Well-Architected and NIST Cybersecurity frameworks.

Push-Button Deployment

Maintained in a library of CloudFormation templates and deployable on-demand — as individual modules or end-to-end.

Design Considerations

• Why not TerraForm? CloudFormation covers everything required in a universal format (YAML/JSON), so there is no compelling reason to take on the added costs and complexity of a 3^rd-party tool
• Why AWS? In a word…ecosystem. The breadth and quality of services, coupled with their integration, provide the most compelling business case. And after working with nearly all of AWS’s services over the past 10+ years — and applying their published best practices and reference architectures — AWS has earned my trust…and my business. I’ve also used GCP and Azure quite a bit, but have always ended up back on AWS due to performance or architectural reasons.

The Bigger Picture

This architecture also fills a key role in a more comprehensive cloud strategy:

So let’s dive in…

At the core, we need a method for securely storing and rapidly delivering web content to end users, and we do that through:

• CloudFront — Fast content delivery network (CDN)
• Simple Storage Service (S3) — Primary storage for static assets (CloudFront Origin)
• Lambda@Edge — Add Content Security Policy (CSP) headers to responses, A/B testing and CloudFront Origin determination
• Certificate Manager (ACM) — SSL certificate for data in-transit encryption, configured in CloudFront and API Gateway
• Route 53 — Public-facing DNS, including transfer between environments during deployments
• Web Application Firewall (WAF) — Rules engine for blocking malicious traffic on CloudFront, Route 53 and API Gateway
• Shield — DDoS protection on CloudFront and Route 53
• Key Management Service (KMS) — Cryptographic key management for encrypting data at-rest on S3
• API Gateway* — Primary entry point for client access to microservices
• Virtual Private Cloud (VPC) — Network-level isolation of resources and traffic (including Security Groups, NACLs, NAT, Route Tables, etc.)
• CloudWatch — Collect and store logs from S3, API Gateway, Route 53 and Lambda

* only required with expansion modules

This highly optimized pipeline pushes static assets (HTML, CSS, JS) right to users’ front door; providing an optimal experience around the globe.

Expansion Modules

With this solid foundation in place, we can easily enhance functionality using a number of different add-on microservices:

• User Management
• Behavior Tracking
• Payment Processing
• Media Management
• Bespoke Inference
• Bespoke Computation
• IoT Device Management

Let’s dive a little deeper into those modules…

Add-on microservice that integrates user registration, authentication, authorization into the application.

• Cognito — Web federation with built-in registration and sign-in web pages
• Route 53 — Domain name for Cognito-provided registration and sign-in page
• Certificate Manager (ACM) — SSL certificate configured in Cognito
• CloudWatch — Collect and store logs from Route 53

Providing granular control over user permissions.

This add-on module enables a microservice for capturing user behavior within the application.

• Kinesis Data Firehose — Ingest raw data
• Kinesis Analytics — Anomaly detection
• Lambda — Serverless computation for transforming or appending data
• Simple Storage Service (S3) — Primary data storage
• QuickSight — Dashboard for analysis
• Key Management Service (KMS) — Cryptographic key management for encrypting data at-rest on S3

Clickstream intelligence pipeline, recording and analyzing user behavior.

This add-on module enables a microservice for payments within the application.

• Lambda — Interact with payment gateways
• DynamoDB — Log payment activity
• Simple Queue Service (SQS) — Decouple payment from ordering process
• CloudWatch — Collect and store logs

Requires a payment processor, e.g. Stripe.

For example:

• Ecommerce applications
• Content subscriptions

This add-on module enables a microservice for efficient delivery of video and other media.

• Simple Storage Service (S3) — Primary data storage for pre- and post-processed media files
• MediaConvert — Transcode media into optimized versions
• Key Management Service (KMS) — Cryptographic key management for encrypting data at-rest

Media optimization and delivery, for example:

• Training courses

Includes a pipeline to optimize video delivery for each device.

Add-on microservice providing custom decision automation.

• SageMaker — Machine learning workflow
• CloudWatch — Collect and store logs

Custom machine learning models, for example:

• Personalize search results
• Predictive user behavior
• Image/video analysis

This module lays down the infrastructure required to deploy custom-developed microservices running in containers, serverless functions or virtual machines.

• Application Load Balancer (ALB) — Terminate SSL and address translation
• Web Application Firewall (WAF) — custom rules to block malicious traffic on ALB
• Certificate Manager (ACM) — SSL certificate configured in ALB
• Fargate — Automated deployment and management of ECS cluster
• Elastic Container Service (ECS) — Run and manage Docker containers
• Elastic Container Registry (ECR) — Docker container registry
• Lambda — Run serverless functions
• Simple Queue Service (SQS) — Dead Letter Queue (DLQ) for Lambda
• Elastic Compute Cloud (EC2) — Run and manage virtual machines
• CloudWatch — Collect and store logs

Proprietary software deployment running on various languages, e.g. Django, Rails, Tomcat, etc.

Design Considerations

• Why not Kubernetes? ECS provides better integration with overall solution and more extensive automation (managed service)
• I typically prioritize these by: Lambda, ECS, EC2 — for a number of reasons, including security risk (EC2 is typically highest risk)

This add-on module enables a platform for managing IoT devices.

• IoT — Primary gateway for device management
• CloudWatch — Collect and store logs from IoT

Extend the application to remote industrial, consumer and commercial cloud-connected devices.