A production-shaped streaming architecture presented in a portfolio-safe format.
This page turns the live infrastructure topology into a reviewable demo for a job application. It focuses on system boundaries, deployment tradeoffs, and operational thinking without exposing sensitive identifiers from the real AWS environment.
The architecture still shows ingress, service ownership, private data boundaries, and IAM role separation. What changed is the exposure level, not the underlying engineering story.
Reviewers can see the real shape of the system and the tradeoffs behind it, while account IDs, DNS names, ARNs, policy names, database endpoints, and network identifiers stay redacted.
Public Entry
Route53 resolves the application hostname into a single internet-facing ALB. TLS terminates there, health checks stay centralized, and service exposure remains controlled through target groups.
Service Split
The web tier and ingest worker run as separate ECS services. That keeps user-facing latency concerns isolated from background transcoding and queue-recovery behavior.
Private Connectivity
RDS, service subnets, and interface endpoints sit behind security-group boundaries instead of public exposure. The demo emphasizes intent and relationships without leaking deployment identifiers.
Least Privilege
Task roles and execution roles are separated explicitly. The page surfaces that IAM structure because it demonstrates how runtime permissions were designed, not just that the app happens to deploy.
Browser request to application response
Route53 maps `app.example.com` to the ALB.
The ALB listener forwards traffic into the web target group.
The web ECS service serves the application and coordinates data access.
RDS remains reachable only through the private network boundary.
Background ingest and recovery loop
The web tier creates the job record in Postgres and emits a compact SQS message containing the video identifier.
The worker service long-polls SQS independently of the web tier and loads the full job state from Postgres only after a message arrives.
Stale claim recovery returns interrupted work to the queue instead of deadlocking processing.
Output artifacts move through storage-backed publishing paths while operational state persists in Postgres.
The architecture keeps compute concerns decoupled from the user-facing request path.
How network and IAM boundaries line up
Security groups describe which components can initiate traffic to which destinations.
VPC endpoints avoid unnecessary public egress for AWS-managed dependencies.
Task roles scope runtime permissions per workload instead of sharing a broad instance profile.
The portfolio export preserves those relationships while redacting identifiers and secrets.
What each part of the system actually does
The topology is more useful when each box has an operational meaning. This section explains the responsibility split between the public edge, application services, data layer, storage layer, and private AWS dependencies.
ALB
The application load balancer is the public entry point. It terminates TLS, runs health checks, and forwards browser traffic only to the web service instead of exposing containers directly.
Web Service
The web ECS service serves the Streamora UI, handles user-facing requests, reads and writes application data, and coordinates which videos are available for playback. It is the only service intentionally reachable through the public request path.
Worker Service
The worker ECS service is internal-only. It consumes SQS messages, claims the corresponding job in Postgres, downloads or processes source media, generates output artifacts, recovers stale claims, and publishes results without competing with browser traffic for latency-sensitive work.
RDS / Postgres
RDS stores durable operational state: video metadata, ingest status, claim ownership, heartbeats, and publish lifecycle data. Both the web and worker services depend on it, but it stays inside the private network boundary.
S3
S3 stores the actual media artifacts: uploaded source files, generated thumbnails, and playback assets. The worker publishes into S3, and the web service turns those stored keys into playback and thumbnail URLs for the product experience.
SQS
SQS is the dispatch layer between the web and worker services. The queue carries only small job messages so delivery is retryable, while Postgres remains the source of truth for job state, attempts, and final ingest results.
VPC Endpoints
VPC endpoints let private workloads reach AWS-managed services without routing that traffic over the public internet. They reduce unnecessary egress exposure and make the network design easier to reason about in a production setting.
IAM Roles
Execution roles let ECS start tasks and pull images. Task roles grant runtime permissions to the application code itself, such as reading secrets or publishing media. Keeping those roles separate demonstrates least-privilege intent instead of a single broad permission set.
Engineering improvements highlighted in this demo
How to read the sanitized topology
The exported topology below is intentionally machine-derived and lightly curated. It serves as evidence that the architecture summary above maps to a real deployment shape.
`public-app-alb` is the public entry point. Services show whether they are ALB-backed or internal-only. VPC endpoints and security-group connections reveal how private service access is controlled.
The IAM section shows workload-level role separation. The ECS-to-RDS links demonstrate that the topology tool is not just listing resources, it is correlating how those resources are connected.
Public topology export
Generated from the real AWS topology with the portfolio-safe `--public` mode.
ROUTE53
+-------------+-----------------+------+-----------------------+----------------+----------------------+-----------+
| Hosted Zone | Record | Type | Target | ALB Name | ALB DNS | Region |
+-------------+-----------------+------+-----------------------+----------------+----------------------+-----------+
| example.com | app.example.com | A | alb.example.internal. | public-app-alb | alb.example.internal | us-east-1 |
+-------------+-----------------+------+-----------------------+----------------+----------------------+-----------+
ALB
+----------------+-------------+-----------------+--------+-------+--------------------+-----------------+----------------------+
| Name | Type | Scheme | State | VPC | Subnets | Security Groups | DNS |
+----------------+-------------+-----------------+--------+-------+--------------------+-----------------+----------------------+
| public-app-alb | application | internet-facing | active | vpc-1 | subnet-1, subnet-2 | sg-1 | alb.example.internal |
+----------------+-------------+-----------------+--------+-------+--------------------+-----------------+----------------------+
ALB LISTENERS
+------------+----------+------+----------------------------------------+--------------+----------------+
| Listener | Protocol | Port | Certificates | Action Types | Target Groups |
+------------+----------+------+----------------------------------------+--------------+----------------+
| listener-1 | HTTPS | 443 | arn:aws:acm:region:account:certificate | forward | target-group-1 |
| | | | /public-cert-1 | | |
+------------+----------+------+----------------------------------------+--------------+----------------+
| listener-2 | HTTP | 80 | - | forward | target-group-1 |
+------------+----------+------+----------------------------------------+--------------+----------------+
ALB LISTENER RULES
+------------+--------+----------+------------+---------+----------------+
| Listener | Rule | Priority | Conditions | Actions | Target Groups |
+------------+--------+----------+------------+---------+----------------+
| listener-1 | rule-1 | default | default | forward | target-group-1 |
+------------+--------+----------+------------+---------+----------------+
| listener-2 | rule-2 | default | default | forward | target-group-1 |
+------------+--------+----------+------------+---------+----------------+
ECS SERVICES
+-----------+-----------+---------+------------------+-------------+------------------+----------------------------------------+----------------------------------------+-------------------------+------------------------------+---------------------------------------+----------------------------------------+
| Cluster | Service | Desired | Task Definition | Task Role | Execution Role | ALB Usage | Subnets | Security Groups | SG Connections | RDS Links | S3 Links |
+-----------+-----------+---------+------------------+-------------+------------------+----------------------------------------+----------------------------------------+-------------------------+------------------------------+---------------------------------------+----------------------------------------+
| cluster-1 | service-1 | 1 | public-taskdef-1 | task-role-1 | execution-role-1 | public-app-alb -> target-group-1 | subnet-1, subnet-2 | security-group-1 (sg-2) | in<- security-group-2 (sg-1) | instance:db-instance-1 (sg-reference) | bucket:bucket-1 (env:<redacted>) |
| | | | | | | (container-1:3000) | | | | | service-mode:s3 (env:<redacted>) |
+-----------+-----------+---------+------------------+-------------+------------------+----------------------------------------+----------------------------------------+-------------------------+------------------------------+---------------------------------------+----------------------------------------+
| cluster-1 | service-2 | 1 | public-taskdef-2 | task-role-2 | execution-role-1 | - | subnet-3, subnet-1, subnet-4, | security-group-3 (sg-3) | - | instance:db-instance-1 (sg-reference) | bucket:bucket-1 (env:<redacted>) |
| | | | | | | | subnet-2, subnet-5, subnet-6 | | | | bucket:bucket-1 |
| | | | | | | | | | | | (iam-policy:<redacted>) |
| | | | | | | | | | | | service-mode:s3 (env:<redacted>) |
+-----------+-----------+---------+------------------+-------------+------------------+----------------------------------------+----------------------------------------+-------------------------+------------------------------+---------------------------------------+----------------------------------------+
IAM ROLES
+------------------+----------------------------------------+---------------+----------------------------------------+------------------+-----------------+
| Role | ARN | Path | Principal | Managed Policies | Inline Policies |
+------------------+----------------------------------------+---------------+----------------------------------------+------------------+-----------------+
| execution-role-1 | arn:aws:iam::account:role/execution-ro | /application/ | {'Service': 'ecs-tasks.amazonaws.com'} | managed-policy-2 | inline-policy-1 |
| | le-1 | | | | |
+------------------+----------------------------------------+---------------+----------------------------------------+------------------+-----------------+
| task-role-1 | arn:aws:iam::account:role/task-role-1 | /application/ | {'Service': 'ecs-tasks.amazonaws.com'} | managed-policy-1 | - |
+------------------+----------------------------------------+---------------+----------------------------------------+------------------+-----------------+
| task-role-2 | arn:aws:iam::account:role/task-role-2 | /application/ | {'Service': 'ecs-tasks.amazonaws.com'} | managed-policy-3 | - |
| | | | | managed-policy-4 | |
+------------------+----------------------------------------+---------------+----------------------------------------+------------------+-----------------+
SECURITY GROUPS
+------------------+------+-------+----------------------------------------+-------------------------+---------------------------------------+--------------------------------------+
| Name | ID | VPC | Description | Inbound Security Groups | Inbound Rules | Outbound Rules |
+------------------+------+-------+----------------------------------------+-------------------------+---------------------------------------+--------------------------------------+
| security-group-1 | sg-2 | vpc-1 | Security boundary for a demo | security-group-2 (sg-1) | SG security-group-2 (sg-1) | tcp 3000 | CIDR public-internet | all all ports |
| | | | component. | | | |
+------------------+------+-------+----------------------------------------+-------------------------+---------------------------------------+--------------------------------------+
| security-group-2 | sg-1 | vpc-1 | Security boundary for a demo | - | CIDR public-internet | tcp 80 | CIDR public-internet | all all ports |
| | | | component. | | CIDR public-internet | tcp 443 | |
+------------------+------+-------+----------------------------------------+-------------------------+---------------------------------------+--------------------------------------+
| security-group-3 | sg-3 | vpc-1 | Security boundary for a demo | - | - | CIDR public-internet | all all ports |
| | | | component. | | | |
+------------------+------+-------+----------------------------------------+-------------------------+---------------------------------------+--------------------------------------+
| security-group-4 | sg-4 | vpc-1 | Security boundary for a demo | security-group-1 (sg-2) | SG sg-5 (sg-5) | tcp 443 | CIDR public-internet | all all ports |
| | | | component. | security-group-3 (sg-3) | SG security-group-1 (sg-2) | tcp 443 | |
| | | | | sg-5 (sg-5) | SG security-group-3 (sg-3) | tcp 443 | |
+------------------+------+-------+----------------------------------------+-------------------------+---------------------------------------+--------------------------------------+
| security-group-5 | sg-6 | vpc-1 | Security boundary for a demo | security-group-1 (sg-2) | SG sg-5 (sg-5) | tcp 5432 | CIDR public-internet | all all ports |
| | | | component. | security-group-3 (sg-3) | SG security-group-1 (sg-2) | tcp 5432 | |
| | | | | sg-5 (sg-5) | SG security-group-3 (sg-3) | tcp 5432 | |
| | | | | | CIDR cidr-1 | tcp 5432 | |
| | | | | | CIDR cidr-2 | tcp 5432 | |
+------------------+------+-------+----------------------------------------+-------------------------+---------------------------------------+--------------------------------------+
VPC ENDPOINTS
+-------------+----------------------------------------+-----------+-------+----------+-------------------------+-------------+-----------+
| Endpoint ID | Service | Type | VPC | Subnets | Security Groups | Private DNS | State |
+-------------+----------------------------------------+-----------+-------+----------+-------------------------+-------------+-----------+
| vpce-1 | com.amazonaws.us-east-1.secretsmanager | Interface | vpc-1 | subnet-2 | security-group-4 (sg-4) | true | available |
+-------------+----------------------------------------+-----------+-------+----------+-------------------------+-------------+-----------+
RDS INSTANCES
+---------------+----------+-----------+----------------------------+-------+-------------------------+----------+
| Identifier | Engine | Status | Endpoint | VPC | Security Groups | Multi-AZ |
+---------------+----------+-----------+----------------------------+-------+-------------------------+----------+
| db-instance-1 | postgres | available | writer.db.example.internal | vpc-1 | security-group-5 (sg-6) | false |
+---------------+----------+-----------+----------------------------+-------+-------------------------+----------+
ECS TO RDS LINKS
+-------------+-------------+---------------+--------------+------------+
| ECS Service | Target Type | Target ID | Match Type | Match |
+-------------+-------------+---------------+--------------+------------+
| service-1 | instance | db-instance-1 | sg-reference | <redacted> |
+-------------+-------------+---------------+--------------+------------+
| service-2 | instance | db-instance-1 | sg-reference | <redacted> |
+-------------+-------------+---------------+--------------+------------+
ECS TO S3 LINKS
+-------------+--------------+-----------+------------+------------+
| ECS Service | Target Type | Target ID | Match Type | Match |
+-------------+--------------+-----------+------------+------------+
| service-1 | bucket | bucket-1 | env | <redacted> |
+-------------+--------------+-----------+------------+------------+
| service-1 | service-mode | s3 | env | <redacted> |
+-------------+--------------+-----------+------------+------------+
| service-2 | bucket | bucket-1 | env | <redacted> |
+-------------+--------------+-----------+------------+------------+
| service-2 | bucket | bucket-1 | iam-policy | <redacted> |
+-------------+--------------+-----------+------------+------------+
| service-2 | service-mode | s3 | env | <redacted> |
+-------------+--------------+-----------+------------+------------+
WARNINGS
- Public mode enabled: infrastructure identifiers, endpoints, ARNs, and sensitive values have been redacted.