Page tree
Skip to end of metadata
Go to start of metadata




-

HOW DOES THE ECG ARCHITECTURE WORK

In the architecture developed for the ECG, we use the AWS Application Load Balancer (Amazon Web Services) to distribute traffic between the availability zones, as well as path-based routing (FIG-1) that eliminates the need for a reverse proxy and possible failure single points.

The App's static objects are served by a global Content Delivery Network (CDN).

This architecture requires access through a secure URL  https://api.guepardo.cloud/ and https://app.guepardo.cloud/.

-



-

The Application Load Balancer simplifies and improves application security by ensuring that the latest SSL/TLS protocols and encodings are always used.

The service was designed to support thousands of simultaneous requests and does not support a fixed IP (static IP/elastic IP) in high-traffic scenarios. AWS adds new network interfaces to meet the high volume of requisitions and can be verified even in high-demand predictable scenarios such as a "Black Friday" in an e-commerce where we request preheating of the balancer's capacity.

By default an A input with Alias pointing to the balancer endpoint is used, allowing elasticity in the balancer without generating unavailability.


The IPs presented in DNS service queries (FIG-2) can change over time or even during the same day of the query, this occurs in case of increased demand and also prevents targeted DOS and DDOS attacks.

Changed IPs are drained and replaced by others, this process is internal of AWS, and old IPs are quarantined for up to 7 days and are released for use in other AWS global platform Balancers, thus maintaining a turnover.

Read more at: https://aws.amazon.com/pt/shield/



-

-

WHAT DOES "ROUTE 53" MEAN?

This behavior is possible due to the AWS DNS management service called Route 53, which has extended alias functionality, where such records provide a specific extension of Route 53 to DNS functionalities.

Instead of an IP address or domain name, an alias record contains a pointer to AWS-hosted services, such as a distribution of CloudFront, an Elastic Beanstalk environment, a ELB Classic, an application or a network/application load balancer, a bucket of Amazon S3 configured as a static site, or another record of Route 53 in the same hosted zone.

See more information at: https://docs.aws.amazon.com/pt_br/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html

The flow works in the following way:


Domain (registroBR, Godaddy etc) → Route 53 → Input A with alias for balancer Endpoint → Application load balancer → Application servers (IPV4) in private subnets of the Virtual Private Cloud (VPC).

-


CAN I ACCESS THE API VIA IP?

No, the architecture requires the use of the secure endpoint https://api.guepardo.cloud/ as well as application load balancers that do not allow the use of a static IP.

Thus, enabling DNS-level failovers (figure below) between geographically separate regions, we ensure high availability even in the event of disasters in an Amazon Web Services availability region.
An availability region can contain one or more geographically separated datacenters (availability zones). We use at least three availability zones in the ECG solution.



-

HOW DOES ECG SECURITY WORK?

The security models of the architectures implemented for ECG depend solely on an Application Load Balancer for the API and on the CloudFront Service (CDN) for the App. Without this, the automated Web Application Firewall security processes do not work, making the application vulnerable to malicious attacks.

-

-

-

HOW DOES API PROTECTION WORK?

With automatic blocking of malicious addresses based on IP reputation lists updated every hour, in addition to the protection for major malicious attack methods.



-

HOW DOES APP PROTECTION WORK?

Protection against the main malicious attack methods, as shown in the illustration below:

-


  • No labels