Networking¶

Most AWS infrastructure runs in eu-central-1 in the account's default VPC with custom subnets. The atrax-node crawlers run in their own dedicated VPCs in eu-west-1, isolated by region — see Atrax service docs for the rationale.

VPC Layout¶

eu-central-1 (default VPC, both stage and prod)¶

Subnet Type	CIDR Blocks	AZs	Used By
Public	`172.31.128.0/20`, `172.31.192.0/20`, `172.31.208.0/20`	a, b, c	ALBs, NAT Gateway
Private	`172.31.144.0/20`, `172.31.160.0/20`, `172.31.176.0/20`	a, b, c	ECS instances, RDS

eu-west-1 (atrax-node, dedicated VPCs)¶

Environment	VPC CIDR	Subnets
Stage	`172.30.128.0/17`	Three public `/20` subnets across `eu-west-1a/b/c`
Prod	`172.30.0.0/17`	Three public `/20` subnets across `eu-west-1a/b/c`

The eu-west-1 VPCs use public subnets only — atrax-node hosts have an Elastic IP attached directly to each EC2 instance so each crawler egresses from a customer-whitelisted IP. There is no peering between the eu-central-1 and eu-west-1 VPCs; atrax-node reaches atrax-api over the public ALB.

flowchart TB
    subgraph euc1["eu-central-1 (default VPC)"]
        subgraph Public["Public Subnets"]
            PubALB[Public ALB]
            IntALB[Internal ALB]
            NAT[NAT Gateway]
        end

        subgraph Private["Private Subnets"]
            ECS[ECS Instances]
            RDS[RDS Instances]
        end
    end

    subgraph euw1["eu-west-1 (atrax-node VPC)"]
        subgraph PublicW["Public Subnets"]
            NodeEC2[Atrax-node EC2 + EIP]
        end
    end

    Internet --> PubALB
    VPN[Client VPN] --> IntALB
    VPN --> RDS
    ECS --> NAT --> Internet
    PubALB --> ECS
    IntALB --> ECS
    ECS --> RDS
    NodeEC2 --> Internet
    NodeEC2 -->|"REST (public ALB)"| PubALB

Load Balancers¶

Stage¶

ALB	Scheme	Hosts
`stage-euc1-core-public-alb`	Internet-facing	`core-api.stage.cookiehub.net`, `atrax-api.stage.cookiehub.net`, `dash.stage.cookiehub.net`
`stage-euc1-core-internal-alb`	Internal	Internal services

Production¶

ALB	Scheme	Hosts
`prod-euc1-core-public-alb`	Internet-facing	`atrax-api.cookiehub.net`
`prod-euc1-core-internal-alb`	Internal	`vault-api.internal.cookiehub.net`

The prod public ALB exists so atrax-node in eu-west-1 can reach atrax-api over the internet (no cross-region peering). Other prod services remain internal.

DNS¶

Public Zones¶

Zone	Records
`stage.cookiehub.net`	`core-api.stage.cookiehub.net`, `atrax-api.stage.cookiehub.net`, `dash.stage.cookiehub.net`
`cookiehub.net`	`atrax-api.cookiehub.net`, plus production records

Private Zones (VPC-only)¶

Zone	Example Records
`internal.stage.cookiehub.net`	Internal stage service discovery
`internal.cookiehub.net`	`vault-api.internal.cookiehub.net`, database endpoints

Private zones resolve only within the VPC or over the VPN connection.

VPN¶

AWS Client VPN with certificate-based mutual authentication.

Setting	Value
Authentication	Mutual (certificate-based via EasyRSA CA)
Split tunnel	Enabled (only VPC traffic goes through VPN)
Session timeout	8 hours
Access	All VPC resources — ALBs, RDS, EC2 instances

See VPN Access runbook for certificate setup.

Security Groups¶

Traffic is restricted between components via security groups:

Group	Allows Inbound From	Port
ALB SG	Internet (public) or VPN (internal)	443
ECS SG	ALB SG	Service port (3000)
RDS SG	ECS SG, VPN SG, Dashboard SG	3306 / 5432

NAT Gateway¶

ECS instances in private subnets reach the internet (ECR image pulls, external APIs) via a NAT Gateway in the public subnet. Outbound-only — no inbound traffic from the internet reaches private subnets directly.

External Networking¶

Provider	Purpose
Cloudflare	DNS for `cookiehub.com` (not in AWS), Pages for docs site
Scaleway	Edge PHP servers (separate network, not AWS)
AWS CloudFront	CDN for widget assets + Lambda@Edge