# Network Architecture Diagram

This diagram shows the VPC network design, subnets, and security group rules.

```mermaid
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#e5e7eb','primaryTextColor':'#111827','primaryBorderColor':'#9ca3af','lineColor':'#111827','secondaryColor':'#d1d5db','tertiaryColor':'#f3f4f6','edgeLabelBackground':'#ffffff','mainBkg':'#f5f5f4','nodeBorder':'#9ca3af','background':'#f5f5f4','clusterBkg':'transparent'},'themeCSS':'.node rect, .node circle, .node ellipse, .node polygon, .node path { filter: none !important; box-shadow: none !important; } .cluster rect { filter: none !important; box-shadow: none !important; } svg { background-color: #f5f5f4 !important; } .cluster-label { background-color: #ffffff !important; padding: 6px 12px !important; border-radius: 4px !important; font-size: 16px !important; font-weight: 700 !important; box-shadow: 0 1px 3px rgba(0,0,0,0.12) !important; border: 1px solid #d1d5db !important; } .edgePath, .edgePath path, .flowchart-link { z-index: 1 !important; }'}}%%

graph TB
    Internet([Internet])
    IGW[Internet Gateway]
    
    subgraph VPC["VPC 10.0.0.0/16"]
        IGW
        
        subgraph PublicSubnet["Public Subnet 10.0.1.0/24"]
            EC2[EC2 Instance<br/>Docker Host]
        end
        
        subgraph SG["Security Group: EC2"]
            direction TB
            SGRules["Inbound:<br/>- 22 SSH from Admin IP<br/>- 80 HTTP from 0.0.0.0/0<br/>- 443 HTTPS from 0.0.0.0/0<br/><br/>Outbound:<br/>- All traffic"]
        end
    end
    
    Internet -->|HTTPS/HTTP| IGW
    IGW --> PublicSubnet
    EC2 -.->|Protected by| SG
    
    style VPC fill:#e5e7eb,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
    style PublicSubnet fill:#d1d5db,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
    style SG fill:#f3f4f6,stroke:#6b7280,stroke-width:1px,stroke-dasharray: 5 5
    
    style EC2 fill:#10B981,stroke:#333,stroke-width:1px,color:#fff
    style IGW fill:#6366F1,stroke:#333,stroke-width:1px,color:#fff
    style SGRules fill:#EF4444,stroke:#333,stroke-width:1px,color:#fff
```

## Network Components

### VPC Configuration
- **CIDR Block**: `10.0.0.0/16` (65,536 IP addresses)
- **Region**: Single AWS region
- **DNS Hostnames**: Enabled
- **DNS Resolution**: Enabled

### Subnets
- **Public Subnet**: `10.0.1.0/24` (256 IP addresses)
  - Auto-assign public IP: Enabled
  - Contains: EC2 instance
  - Route table: Routes to Internet Gateway

### Internet Gateway
- Attached to VPC
- Enables internet access for resources in public subnet

### Security Groups

**EC2 Security Group**:
- **Inbound Rules**:
  - Port 22 (SSH): From admin IP only (for management)
  - Port 80 (HTTP): From 0.0.0.0/0 (redirects to HTTPS)
  - Port 443 (HTTPS): From 0.0.0.0/0 (Gitea access)
- **Outbound Rules**:
  - All traffic: To 0.0.0.0/0 (for updates, backups to S3)

## Security Considerations

1. **SSH Access**: Restricted to specific admin IP address (your IP)
2. **HTTP/HTTPS**: Open to internet (required for Gitea web access)
3. **No Direct Gitea Access**: Port 3000 not exposed; only nginx on 80/443
4. **Outbound**: Allowed for Docker image pulls, package updates, S3 backups

## Traffic Flow

1. User request → Internet → Internet Gateway
2. Internet Gateway → Public Subnet → EC2 instance
3. Security Group inspects and allows traffic on ports 80/443
4. Nginx receives request, terminates SSL, proxies to Gitea