System Architecture Overview
This document provides an overview of the system architecture, focusing on the setup and security group configuration for handling ECS tasks, load balancing, and database management.
VPC and Security Groups
The entire infrastructure is housed within a Virtual Private Cloud (VPC), which serves as a secure environment for resources, ensuring controlled access.
ECS Security Group
The ECS Security Group is responsible for securing the containers running within ECS tasks:
- Inbound Rules: Allow traffic from the same security group (SG) to ensure inter-task communication within the ECS environment.
- Outbound Rules: Open to all, enabling outbound requests as needed by the containers.
Load Balancer Security Group
The Load Balancer Security Group controls traffic flowing into the load balancer:
- Inbound Rules: Allows external traffic on port 443 (HTTPS), ensuring secure communication from external sources.
- Outbound Rules: Open to all, allowing responses to incoming requests.
Load Balancer and Listener Rules
The Load Balancer serves as the entry point for the application, directing incoming requests to ECS tasks:
- Listener Rules: Configured to listen on port 443 (HTTPS), with an automatic redirection for HTTP requests to HTTPS. This setup ensures secure, encrypted communication.
Target groups within the load balancer distribute traffic across multiple ECS tasks, each with its own private IP.
ECS Tasks and Containers
Within the ECS service, multiple tasks are deployed, each containing a container instance. These containers host the application services and are associated with the ECS Security Group, allowing them to communicate within the same SG while ensuring isolation from external traffic.
EC2 Instance and Systems Manager (SSM)
An EC2 instance is included, managed via Systems Manager (SSM) for secure access and control over the instance:
- Inbound Rules: Allows HTTPS traffic on port 443, enabling secure communication with SSM.
This setup provides secure, managed access to EC2 resources without directly exposing them.
RDS Database and Security Group
The RDS Security Group secures the PostgreSQL database:
- The RDS instance is isolated within its own security group, allowing access only from authorized sources, such as ECS tasks within the VPC.
This ensures that the database is protected and only accessible to services within the VPC, adding an extra layer of security.
This architecture leverages security groups effectively to enforce access controls, with each component working in harmony to ensure a secure, scalable, and resilient infrastructure.