We designed and supported a containerized application platform using Amazon Elastic Kubernetes Service (Amazon EKS) deployed within a dedicated Amazon VPC in the ap-south-1 region. The architecture follows a tiered network design with clearly separated public, private, and intra subnets to support secure ingress, controlled egress, and isolated data services.
End-user traffic is routed through Cloudflare, providing edge-level protection and request handling before traffic is forwarded to Amazon CloudFront for content delivery and caching. Requests then enter the AWS environment via an Internet Gateway and are routed to application workloads deployed within private subnets. AWS Certificate Manager (ACM) is used for TLS certificate management for secure communications.
The VPC is deployed across multiple Availability Zones to support availability and fault tolerance. Network routing and security controls are implemented using route tables, NAT Gateways, and security groups.
Application workloads are deployed on Amazon EKS clusters running in private subnets. The EKS clusters host containerized application services and are configured to support scalable and resilient application execution. Worker nodes are deployed within private subnets and integrated with Kubernetes auto scaling mechanisms to support workload demand.
Kubernetes services and deployments are used to manage application lifecycle, service discovery, and traffic distribution within the cluster. Application pods communicate with backend services through internal networking, ensuring that workloads are not directly exposed to the internet.
Source code is managed in GitHub, with GitHub Actions used to automate build and deployment workflows. Container images are built through CI pipelines and stored in Amazon Elastic Container Registry (ECR). Kubernetes manifests or Helm charts are used to deploy application updates to the EKS clusters.
IAM roles and policies are used to provide secure access between CI/CD pipelines and AWS services, ensuring controlled and auditable deployment operations.
Backend data services are deployed in dedicated private/intra subnets to ensure isolation from application and internet-facing layers.
Network access to backend services is restricted using subnet isolation and security group rules, ensuring that only authorized application components can connect.
Sensitive configuration values and credentials are managed using AWS Secrets Manager, allowing applications to securely retrieve secrets at runtime.
AWS Key Management Service (KMS) is used to encrypt data at rest for supported services, including Amazon S3 and database storage.
Application artifacts and object storage requirements are handled using Amazon S3, with access controlled through IAM policies.
The network architecture is divided into three logical tiers:
Ingress traffic is controlled through Cloudflare and CloudFront, while outbound traffic from private workloads is routed through NAT Gateways. IAM, security groups, and Kubernetes RBAC are used to enforce least-privilege access.
Operational visibility is provided through Amazon CloudWatch, which is used to collect metrics and logs from infrastructure and application components.
AWS CloudTrail is enabled to capture AWS API activity for auditing and governance purposes.
Amazon SNS is integrated for alerting and notification workflows, enabling timely awareness of operational events.
Infrastructure components including VPC networking, EKS clusters, IAM roles, and supporting AWS services are provisioned using infrastructure-as-code practices to ensure consistency and repeatability.
Kubernetes-native deployment strategies are used to roll out application changes, with versioned deployments supporting controlled updates and rollback where required.
The solution incorporates multiple security layers, including:
These controls align with AWS security best practices and support secure application operations.
This Amazon EKS–based architecture enables the Livewell to run containerized workloads in a scalable and secure manner while maintaining strong separation between application and data layers. The DevOps practices implemented support consistent deployments, improved operational visibility, and secure configuration management.
The platform provides a flexible foundation that can evolve with application growth while remaining aligned with AWS DevOps and security best practices.
