Networking¶

All AWS infrastructure runs in eu-central-1 using the default VPC with custom subnets.

VPC Layout¶

Subnet Type	CIDR Blocks	AZs	Used By
Public	`172.31.128.0/20`, `172.31.192.0/20`, `172.31.208.0/20`	a, b, c	ALBs, NAT Gateway
Private	`172.31.144.0/20`, `172.31.160.0/20`, `172.31.176.0/20`	a, b, c	ECS instances, RDS

flowchart TB
    subgraph VPC["VPC (eu-central-1)"]
        subgraph Public["Public Subnets"]
            PubALB[Public ALB]
            IntALB[Internal ALB]
            NAT[NAT Gateway]
        end

        subgraph Private["Private Subnets"]
            ECS[ECS Instances]
            RDS[RDS Instances]
        end
    end

    Internet --> PubALB
    VPN[Client VPN] --> IntALB
    VPN --> RDS
    ECS --> NAT --> Internet
    PubALB --> ECS
    IntALB --> ECS
    ECS --> RDS

Load Balancers¶

Stage¶

ALB	Scheme	Hosts
`stage-euc1-core-public-alb`	Internet-facing	`core-api.stage.cookiehub.net`, `atrax-api.stage.cookiehub.net`, `dash.stage.cookiehub.net`
`stage-euc1-core-internal-alb`	Internal	Internal services

Production¶

ALB	Scheme	Hosts
`prod-euc1-core-internal-alb`	Internal	`vault-api.internal.cookiehub.net`

Production has no public ALB — all services are accessed via VPN or through the edge layer.

DNS¶

Public Zones¶

Zone	Records
`stage.cookiehub.net`	`core-api.stage.cookiehub.net`, `atrax-api.stage.cookiehub.net`, `dash.stage.cookiehub.net`
`cookiehub.net`	Production records

Private Zones (VPC-only)¶

Zone	Example Records
`internal.stage.cookiehub.net`	Internal stage service discovery
`internal.cookiehub.net`	`vault-api.internal.cookiehub.net`, database endpoints

Private zones resolve only within the VPC or over the VPN connection.

VPN¶

AWS Client VPN with certificate-based mutual authentication.

Setting	Value
Authentication	Mutual (certificate-based via EasyRSA CA)
Split tunnel	Enabled (only VPC traffic goes through VPN)
Session timeout	8 hours
Access	All VPC resources — ALBs, RDS, EC2 instances

See VPN Access runbook for certificate setup.

Security Groups¶

Traffic is restricted between components via security groups:

Group	Allows Inbound From	Port
ALB SG	Internet (public) or VPN (internal)	443
ECS SG	ALB SG	Service port (3000)
RDS SG	ECS SG, VPN SG, Dashboard SG	3306 / 5432

NAT Gateway¶

ECS instances in private subnets reach the internet (ECR image pulls, external APIs) via a NAT Gateway in the public subnet. Outbound-only — no inbound traffic from the internet reaches private subnets directly.

External Networking¶

Provider	Purpose
Cloudflare	DNS for `cookiehub.com` (not in AWS), Pages for docs site
Scaleway	Edge PHP servers (separate network, not AWS)
AWS CloudFront	CDN for widget assets + Lambda@Edge