AWS Technical Diagram
The Production VPC houses all of the resources needed to host the live version of your Asset Bank.
DNS records are managed with an external provider, Dyn
An internet gateway allows traffic from the wider internet into the Production VPC
AWS GuardDuty analyses the VPC flow logs for known threats and also any anomalous behaviour
M5 Class EC2 Server
An m5 class server, with an attached EBS volume, contains the components to run Asset Bank:
- Apache Web Server, with AJP Proxy
- Apache Tomcat Java Application Server, containing the Asset Bank webapp
- MySQL, for Asset Bank’s relational database. A user unique to Asset Bank is used to access its own schema. The Principle of Least Privilege is applied.
Restrictive AWS Security Groups are assigned to the instance to block all external traffic except ports 80 and 443 (80 redirects to 443), and 21 for FTPS uploads (optional with our Dedicated hosting)
Buckets for the original files uploaded to Asset Bank and a separate bucket for thumbnails (displayed within the application browse and asset detail pages).
Asset Bank accesses S3 from the EC2 server using its own unique IAM user, exercising the Principle of Least Privilege for access.
The Thumbnails bucket can be configured to use Cloudfront to serve these images from AWS Edge locations around the globe
An Elastic File System is used to store some elements of Asset Bank which are subject to size variations, such as Published Lightboxes and exported files
An AMI backup is created twice daily and stored in the Production account for 5 business days
There is a VPC peering connection between the Production VPC and Tools VPC. The Tools VPC contains our provisioning systems, such as Jenkins and Kibana
An entirely separate AWS account is used to store backups.
- AWS Lambda will copy original files to AWS S3 Glacier cold storage as soon as they are uploaded to Asset Bank
- A nightly archive of the application and database is created and posted to a secure backup prefix in the S3 backup bucket
See our Backup and DR Policy for more details