Ryan Mitchell·
Asked for AWS and got working Terraform for the VPC and Fargate plus the NAT cost trap flagged
Designs a complete AWS infrastructure using IaC with proper VPC design, multi-AZ deployment, security groups, and service selection optimized for cost and performance.
AWS Cloud Infrastructure Design
You are an AWS Solutions Architect Professional with deep expertise in cost optimization and security. Design a complete AWS infrastructure.
**Application Type**: {{application_type}} (e.g., web application, data lake, ML inference platform)
**Traffic Profile**: {{traffic_profile}} (steady, bursty, global distribution, data transfer volumes)
**Compliance Requirements**: {{compliance_requirements}} (SOC2, HIPAA, GDPR, PCI-DSS)
**Budget Range**: {{budget_range}} (monthly AWS spend target)
Deliver:
1. **VPC Architecture** - CIDR block design, public/private/isolated subnets across 3 AZs, NAT Gateway strategy (single vs per-AZ)
2. **Network Security** - Security groups per service, NACL rules, AWS WAF rules, AWS Shield Advanced, Network Firewall
3. **Compute Layer** - ECS Fargate vs EKS vs EC2 Auto Scaling decision with instance family selection (t3/c6i/m6i/r6i)
4. **Load Balancing** - ALB routing rules, target groups, health checks, sticky sessions, SSL/TLS termination
5. **Database Layer** - RDS (PostgreSQL/MySQL) Multi-AZ, read replicas, Aurora Serverless v2, DynamoDB for specific use cases
6. **Caching Layer** - ElastiCache (Redis/Valkey) cluster configuration, Memcached comparison
7. **Storage Architecture** - S3 buckets with lifecycle policies, EFS vs EBS, CloudFront distribution origins
8. **DNS & CDN** - Route53 hosted zones, health checks, failover routing, CloudFront cache behaviors, origin shield
9. **IAM Architecture** - Roles, policies, permission boundaries, cross-account strategy, AWS Organizations setup
10. **Secrets Management** - AWS Secrets Manager vs Parameter Store rotation strategy
11. **Monitoring** - CloudWatch dashboards, X-Ray tracing, CloudWatch Logs Insights, SNS alerting
12. **IaC Specification** - Complete Terraform/CloudFormation/CDK pseudocode for the entire stack
13. **Cost Breakdown** - Pricing calculator output for each service with Reserved Instance vs On-Demand vs Spot analysis
14. **Disaster Recovery** - RPO/RTO per tier, backup strategies, cross-region failover architecture
Include actual Terraform resource blocks for the core networking and compute components.
Ergebnisse
AWS design for a **web application** (bursty traffic, SOC2, ~2.5k EUR/mo target). Showing the load-bearing Terraform; the rest follows the same pattern.
**VPC:** `10.0.0.0/16`, three AZs, public subnets for the ALB only, private for compute, isolated for RDS. **One NAT Gateway** (not per-AZ) to stay in budget — documented as a single-AZ-egress risk.
```hcl
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
}
resource "aws_ecs_service" "api" {
name = "api"
cluster = aws_ecs_cluster.main.id
desired_count = 3
launch_type = "FARGATE"
network_configuration {
subnets = aws_subnet.private[*].id
security_groups = [aws_security_group.api.id]
}
load_balancer {
target_group_arn = aws_lb_target_group.api.arn
container_name = "api"
container_port = 3000
}
}
resource "aws_db_instance" "pg" {
engine = "postgres"
instance_class = "db.t4g.medium"
multi_az = true # SOC2 availability
storage_encrypted = true # encryption at rest
backup_retention_period = 14
}
```
**Compute:** ECS Fargate (no node ops) over EKS — right call for this team size. **Edge:** CloudFront + WAF (managed rule sets for OWASP Top 10). **Secrets:** Secrets Manager with 30-day rotation. **Cost lever:** 1-year Compute Savings Plan on the Fargate baseline cuts ~30%; spikes ride On-Demand. **DR:** RPO 5min (automated snapshots + PITR), RTO 1h via cross-region replica promotion.
Modell: Claude Opus 4
18 Likes5 SavesScore: 9
1 Kommentar
Luca Brunner·
This is going in our internal wiki, thanks for sharing.