Deployment architectures - Part 3 [AWS]

The goal of this article is to present a high availability (HA) deployment design using AWS services. It outlines the key infrastructure and architectural requirements needed to ensure minimal downtime and fault tolerance. The focus is on building a resilient system that can withstand failures and scale with demand. This design serves as a foundation for deploying robust and reliable applications in the cloud

To better understand this article, it is recommended that you refer to the earlier articles in this series for context.

• Deployment architectures - Part 1 : WAF, ALB | NLB, ADC | API Gateway
• Deployment architectures - Part 2 [AWS]

Architectural Requirements for High Availability (HA)        

• Deliver low-latency responses and ensure high availability for users across diverse geographic regions
• Guarantee global data consistency while meeting tight deadlines within a few weeks
• Deployment across multiple Availability Zones
• Traffic distribution across multiple instances
• Automatic instance scaling based on demand
• Redundant and durable data storage
• System health monitoring and alerting
• Fault-tolerant application design
• Regular data backups and disaster recovery capability
• DNS-level failover and routing control
• Automated infrastructure provisioning and configuration
• Strict access control and network security measures

High Level Design        

A High Availability (HA) Deployment Architecture in AWS is designed to ensure that applications are resilient, fault-tolerant, and available even when individual components fail. Below is a typical high-level architecture for deploying a web application in AWS with high availability:

Core Components of HA Architecture in AWS

1. Fault Tolerant App Design

• Design stateless applications or use external state storage (like DynamoDB, S3).
• Use retries, timeouts, and graceful degradation in the application logic.

2. Regions and Availability Zones (AZs)

• Deploy across multiple Availability Zones within a single AWS Region.
• Each AZ is isolated but connected via low-latency links.

3. Networking

Amazon VPC with:

• Public subnets (for Load Balancer, NAT Gateway).
• Private subnets (for application and database layers).
• Route Tables, NACLs, and Security Groups for network security.

4. Load Balancing

Amazon Elastic Load Balancer (ELB) – typically Application Load Balancer (ALB):

• Distributes traffic across multiple instances in different AZs.
• Provides health checks and SSL termination.

5. Compute Layer

Auto Scaling Groups (ASG) with EC2 instances:

• Span across at least 2 AZs.
• Automatically scale out/in based on traffic.
• Ensure replacement of unhealthy instances.

Alternative:

• AWS Fargate or ECS/EKS (for containerized workloads) – also across multiple AZs.

6. Database Layer

Amazon RDS / Aurora: For databases, use Amazon RDS Multi-AZ or Amazon Aurora with failover.

• Multi-AZ deployment for failover.
• Automated backups and replication.

For NoSQL:

• Amazon DynamoDB – HA by design across multiple AZs.

7. Redundant Data Storage

• Amazon S3 – HA and durable by default and with versioning and cross-region replication if needed.
• Amazon EFS – provides shared, scalable file storage across AZs.

8. Security and Access Control

• Use IAM roles and policies, VPC, security groups, and network ACLs to secure your deployment.
• High availability should not compromise security.

9. Auto Scaling

• Configure Auto Scaling Groups (ASGs) to automatically add or remove instances based on demand.
• Helps maintain performance during traffic spikes and reduces cost during low usage.

10. DNS Failover & Traffic Management

Amazon Route 53:

• Global DNS with health checks.
• Use Amazon Route 53 with health checks and routing policies (e.g., failover, latency-based routing).
• Enables automatic redirection to healthy regions or endpoints.

11. Caching and Acceleration

• Amazon CloudFront – for global content delivery.
• Amazon ElastiCache (Redis/Memcached) – to cache frequently accessed data.

12. Infrastructure as Code (IaC)

• Use tools like AWS CloudFormation or Terraform for consistent and automated deployment.
• Helps with rapid recovery and environment replication.

13. Monitoring, Logging, Health Checks & Observability

• Amazon CloudWatch – metrics, logs, and alarms.
• AWS CloudTrail – logs API calls.
• AWS X-Ray – for distributed tracing.
• Use AWS Systems Manager or third-party tools like Signoz, NewRelic, Dynatrace etc for observability.

14. Disaster Recovery & Backups

• Snapshots of EC2/RDS.
• Regular backups using AWS Backup or service-specific backups (e.g., RDS snapshots).
• Cross-region S3 replication or database replication if required for DR.
• Define and test Disaster Recovery (DR) plans.

Architecture        

To address the requirements, we can opt to create complementary services tailored for a multi-Region, active-active architecture using AWS. We can leverage key AWS services to achieve this:

• Amazon CloudFront and Amazon Route 53 – Deliver global content and route traffic to ensure the lowest-latency responses
• Amazon DynamoDB – Provide consistent, highly available data replication across Regions
• Amazon Elastic Container Service (Amazon ECS) – Enable scalable deployment of containerized services
• Amazon EventBridge – Facilitate asynchronous integration with existing systems through event-driven patterns

This approach allows us to meet latency, availability, and data consistency goals while seamlessly integrating with the existing infrastructure. The following diagram illustrates the architecture of the solution.

Low Latency and Multi-Region Resiliency

To achieve the lowest latency and ensure multi-Region resiliency, we can use CloudFront combined with latency-based routing configured in Route 53. This routing directs requests to the Regional Application Load Balancers with the lowest latency, automatically providing resilience in case of Regional outages. Security remains a top priority. AWS WAF is integrated with CloudFront to offer application-layer protection at the edge. Additional security measures include:

• Custom HTTP headers on origin requests, enforced through Application Load Balancer listener rule conditions
• Prefix lists that restrict access to Application Load Balancers, ensuring traffic only comes from the intended CloudFront distributions

Fast Regional Deployment

We can deploy the core infrastructure using Terraform, while applications are deployed with custom tooling that wraps AWS CloudFormation. This hybrid approach enables rapid delivery by leveraging existing patterns without disrupting established workflows. Resources are organized into three tiers: platform, global, and Regional. Platform and global resources are deployed once, while Regional resources are rolled out to each activated Region, simplifying expansion efforts.

A technical challenge may arise from CloudFormation exports being Regional by design. To overcome this, we can implement a custom CloudFormation macro that enables cross-Region access to exported values, ensuring consistency across deployments.

Amazon ECS supports progressive application deployments within each Region, allowing the team to concentrate on scaling applications rather than managing infrastructure. For cost efficiency, we can utilize Spot Instances. There is a possibility that container start-up latency may occur due to cross-Region image downloads from Amazon Elastic Container Registry (Amazon ECR). We can resolve this by enabling private image replication in Amazon ECR, making container images available locally in each Region. This significantly reduces start-up times, improving application responsiveness during deployments and scaling events.

Performance and Data Consistency

DynamoDB global tables play a crucial role in delivering eventual data consistency and replicating data across Regions. By offloading these responsibilities to DynamoDB, we can concentrate on developing application logic. This approach may lead to a significant reduction in latency at critical locations.

Security Assurance

By leveraging CloudFront, AWS WAF, and Application Load Balancer security features, we can ensure comprehensive protection for both traffic and data. CloudFront provides secure content delivery with edge-level filtering to block malicious requests early. AWS WAF adds an additional layer of application-layer security by enabling customizable rules to prevent common web exploits. Application Load Balancers enforce strict access controls and support custom security headers, further safeguarding the system from unauthorized access and attacks.

Summary        

By adopting a multi-Region, active-active architecture on AWS, we can successfully meet the requirements stated earlier, rapidly expanding to new Regions while promoting platform resiliency. The solution will improve latency, provide Regional data availability through DynamoDB global tables, and maintain 100% service uptime during resiliency tests, even in cases of Regional connectivity loss. Additionally, deployment velocity may increase, allowing faster feature releases and improved agility.

This architecture not only provides a scalable and resilient platform for current operations but also establishes a strong foundation for future global expansion.