Public Oath

Architecture

1. vpc owns the network configuration for AWS.
2. It is managed as code using Terraform.
3. There is a single VPC for the entire company called fluid-vpc.
4. It has subnets for:
1. common: Default resources like the ERP
2. batch_clone: allows VPN connection with the client network
   
3. batch_main: Batch jobs
   
4. ci: GitLab CI
5. k8s: Kubernetes Cluster
6. lambda: integrates lambdas
5. All components, except batch_main, have subnets in multiple availability zones in order to grant higher redundancy and broader access to spot instances.
6. It has an Internet Gateway that allows resources in public subnets to reach the Internet.
7. It has NAT gateways that allow resources in private subnets to reach the Internet.
8. It uses Flow Logs to send network logs to CloudWatch.
9. All resources in subnets trying to reach DynamoDB, KMS and S3 use a dedicated VPC Endpoint to establish a private connection inside fluid-vpc.
10. It has seven groups:
    
1. CloudFlare: allows income traffic from the CloudFlare IP addresses.
   
2. compute: allows outbound traffic to the internet using any port by TCP protocol and Cloudflare WARP service.
   
3. ci: allows outbound traffic to ci-docker-machine.
   
4. ci-docker-machine: allows income traffic from ci and outbound traffic to the internet.
   
5. ci-terminate: allows outbound traffic to resources in VPC.
   
6. k8s: allows traffic inside the Kubernetes cluster and traffic on the internet.
7. lambda: allows outbound traffic to resources in the VPC and the internet.
   
11. It has a VPN Gateway to allow a Site-to-Site VPN connection with the client network.