System Architecture Overview

The AWS Student Data Infrastructure uses a secure, scalable, three-tier VPC architecture designed for academic data processing. The environment isolates administrative tools, application services, and database workloads while enforcing AWS security best practices.

VPC Architecture

VPC: 172.32.0.0/16 (us-east-1) Public / Admin Tier 172.32.1.0/24 🌐 NAT Gateway Bastion Host IGW Attached Application Tier 172.32.10.0/24 ⚙️ ECS Fargate Load Balancer NAT Outbound Database Tier 172.32.20.0/24 🗄️ RDS PostgreSQL Multi-AZ No Internet Security & Audit Layer CloudTrail VPC Flow Logs GuardDuty KMS CloudWatch

Three-Tier VPC Layout

The VPC is divided into isolated network segments with distinct security boundaries:

🌐
Public Tier
172.32.1.0/24

Contains NAT Gateway and Bastion Host. Restricted to corporate IP ranges. No workloads or databases reside here.

Internet Gateway NAT Gateway Bastion Host
⚙️
Application Tier
172.32.10.0/24

Hosts application compute resources (ECS Fargate). Outbound internet via NAT. Can access DB tier via security group references.

ECS Fargate Lambda ALB
🗄️
Database Tier
172.32.20.0/24

Private-only, no internet gateway route. Contains encrypted RDS PostgreSQL. Only reachable via app-sg → db-sg rules.

RDS PostgreSQL Multi-AZ KMS Encrypted

Security Group Model

Security groups follow least privilege principles with directional SG-to-SG rules.

admin-sg
In TCP 22 Corporate IPs only
alb-sg
In TCP 443 Internet + WAF
app-sg
In TCP 443 alb-sg only
Out TCP 5432 db-sg only
db-sg
In TCP 5432 app-sg only

Network Isolation Design

Each tier implements defense-in-depth with multiple security layers:

🛡️
Network ACLs
Stateless filtering at subnet boundaries
🔒
Security Groups
Stateful instance-level firewall
🔀
Route Tables
Control traffic flow between tiers
🔗
VPC Endpoints
Private AWS service access
📊
Flow Logs
Complete traffic monitoring

High Availability Configuration

The architecture ensures business continuity through multi-AZ deployment:

🌐
Multi-AZ Subnets Each tier spans us-east-1a and us-east-1b availability zones
🗄️
RDS Multi-AZ Automatic failover with synchronous replication to standby
🔀
NAT Gateway Redundancy One NAT Gateway per AZ eliminates single points of failure
⚖️
Application Load Balancer Cross-zone load balancing distributes traffic across AZs

Data Encryption Strategy

Comprehensive encryption protects data at rest and in transit:

🔐
RDS Encryption
Customer-managed KMS key with rotation
📦
S3 Encryption
SSE-KMS for all objects
💾
EBS Encryption
All volumes encrypted by default
🔒
TLS/SSL
Required for all connections (TLS 1.2+)
🗝️
Secrets Manager
Encrypted credential storage

Explore More

Dive deeper into the architecture with our interactive tools:

Interactive Diagram Security Simulator