ee5e319dad
- Add ADR.md documenting all technology stack decisions with rationale - Create comprehensive ROADMAP.md with 10-phase implementation plan - Add 3 architecture diagrams (AWS infrastructure, application stack, network) - Document collaboration guidelines in `.github/copilot-instructions.md` - Technology stack descisions: AWS, Terraform, Ansible, Docker Compose, PostgreSQL Phase 1 establishes foundation for automated Gitea deployment with proper decision tracking and incremental development approach.
79 lines
3.4 KiB
Markdown
79 lines
3.4 KiB
Markdown
# Network Architecture Diagram
|
|
|
|
This diagram shows the VPC network design, subnets, and security group rules.
|
|
|
|
```mermaid
|
|
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#e5e7eb','primaryTextColor':'#111827','primaryBorderColor':'#9ca3af','lineColor':'#111827','secondaryColor':'#d1d5db','tertiaryColor':'#f3f4f6','edgeLabelBackground':'#ffffff','mainBkg':'#f5f5f4','nodeBorder':'#9ca3af','background':'#f5f5f4','clusterBkg':'transparent'},'themeCSS':'.node rect, .node circle, .node ellipse, .node polygon, .node path { filter: none !important; box-shadow: none !important; } .cluster rect { filter: none !important; box-shadow: none !important; } svg { background-color: #f5f5f4 !important; } .cluster-label { background-color: #ffffff !important; padding: 6px 12px !important; border-radius: 4px !important; font-size: 16px !important; font-weight: 700 !important; box-shadow: 0 1px 3px rgba(0,0,0,0.12) !important; border: 1px solid #d1d5db !important; } .edgePath, .edgePath path, .flowchart-link { z-index: 1 !important; }'}}%%
|
|
|
|
graph TB
|
|
Internet([Internet])
|
|
IGW[Internet Gateway]
|
|
|
|
subgraph VPC["VPC 10.0.0.0/16"]
|
|
IGW
|
|
|
|
subgraph PublicSubnet["Public Subnet 10.0.1.0/24"]
|
|
EC2[EC2 Instance<br/>Docker Host]
|
|
end
|
|
|
|
subgraph SG["Security Group: EC2"]
|
|
direction TB
|
|
SGRules["Inbound:<br/>- 22 SSH from Admin IP<br/>- 80 HTTP from 0.0.0.0/0<br/>- 443 HTTPS from 0.0.0.0/0<br/><br/>Outbound:<br/>- All traffic"]
|
|
end
|
|
end
|
|
|
|
Internet -->|HTTPS/HTTP| IGW
|
|
IGW --> PublicSubnet
|
|
EC2 -.->|Protected by| SG
|
|
|
|
style VPC fill:#e5e7eb,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
|
|
style PublicSubnet fill:#d1d5db,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
|
|
style SG fill:#f3f4f6,stroke:#6b7280,stroke-width:1px,stroke-dasharray: 5 5
|
|
|
|
style EC2 fill:#10B981,stroke:#333,stroke-width:1px,color:#fff
|
|
style IGW fill:#6366F1,stroke:#333,stroke-width:1px,color:#fff
|
|
style SGRules fill:#EF4444,stroke:#333,stroke-width:1px,color:#fff
|
|
```
|
|
|
|
## Network Components
|
|
|
|
### VPC Configuration
|
|
- **CIDR Block**: `10.0.0.0/16` (65,536 IP addresses)
|
|
- **Region**: Single AWS region
|
|
- **DNS Hostnames**: Enabled
|
|
- **DNS Resolution**: Enabled
|
|
|
|
### Subnets
|
|
- **Public Subnet**: `10.0.1.0/24` (256 IP addresses)
|
|
- Auto-assign public IP: Enabled
|
|
- Contains: EC2 instance
|
|
- Route table: Routes to Internet Gateway
|
|
|
|
### Internet Gateway
|
|
- Attached to VPC
|
|
- Enables internet access for resources in public subnet
|
|
|
|
### Security Groups
|
|
|
|
**EC2 Security Group**:
|
|
- **Inbound Rules**:
|
|
- Port 22 (SSH): From admin IP only (for management)
|
|
- Port 80 (HTTP): From 0.0.0.0/0 (redirects to HTTPS)
|
|
- Port 443 (HTTPS): From 0.0.0.0/0 (Gitea access)
|
|
- **Outbound Rules**:
|
|
- All traffic: To 0.0.0.0/0 (for updates, backups to S3)
|
|
|
|
## Security Considerations
|
|
|
|
1. **SSH Access**: Restricted to specific admin IP address (your IP)
|
|
2. **HTTP/HTTPS**: Open to internet (required for Gitea web access)
|
|
3. **No Direct Gitea Access**: Port 3000 not exposed; only nginx on 80/443
|
|
4. **Outbound**: Allowed for Docker image pulls, package updates, S3 backups
|
|
|
|
## Traffic Flow
|
|
|
|
1. User request → Internet → Internet Gateway
|
|
2. Internet Gateway → Public Subnet → EC2 instance
|
|
3. Security Group inspects and allows traffic on ports 80/443
|
|
4. Nginx receives request, terminates SSL, proxies to Gitea
|