Production-ready AWS infrastructure templates covering VPC networking, ECS Fargate compute, RDS databases, Aurora PostgreSQL, and Database Migration Service — all following AWS best practices for security, high availability, and cost efficiency.
| Template | Purpose | Key Services |
|---|---|---|
VPC |
Base networking layer | VPC, Subnets, NAT Gateway, VPC Endpoints |
Prod_aws_infra |
Full production environment | ECS Fargate, RDS Multi-AZ, ALB, IAM |
RDS_Aurora_Postgresql |
Managed Aurora database | Aurora PostgreSQL, KMS, Secrets Manager |
DMS |
Database migration | DMS Replication Instance, Source/Target Endpoints |
pocdevinfra |
POC/dev environment | ECS Fargate, Oracle RDS, ALB, ACM |
A secure, production-grade networking foundation with public/private subnet separation and AWS service endpoints.
Architecture:
Internet
│
▼
Internet Gateway
│
├── Public Subnet 1 (10.0.1.0/24) ap-south-1a ── NAT Gateway
└── Public Subnet 2 (10.0.2.0/24) ap-south-1b
Private Subnet 1 (10.0.3.0/24) ap-south-1a ──┐
Private Subnet 2 (10.0.4.0/24) ap-south-1b ──┘── NAT Gateway → internet
Resources created:
- VPC (
10.0.0.0/16) with DNS support and hostnames enabled - 2 public subnets + 2 private subnets across 2 availability zones
- Internet Gateway (public internet access)
- NAT Gateway + Elastic IP (private subnet outbound access)
- Separate route tables for public and private subnets
- VPC Endpoints (keeps traffic off public internet):
com.amazonaws.ap-south-1.ssm— SSM Parameter Storecom.amazonaws.ap-south-1.ecr.dkr— ECR container pullscom.amazonaws.ap-south-1.s3— S3 object accesscom.amazonaws.ap-south-1.logs— CloudWatch Logs
Deploy:
aws cloudformation create-stack \
--stack-name prod-vpc \
--template-body file://VPC \
--region ap-south-1A complete, enterprise-grade production environment with load balancing, container compute, and highly available database.
Architecture:
Internet → ALB (Application Load Balancer)
│
├── Target Group 1 → ECS Fargate Service 1 (Backend API)
├── Target Group 2 → ECS Fargate Service 2 (Backend Service)
├── Target Group 3 → ECS Fargate Service 3 (UI App 1)
└── Target Group 4 → ECS Fargate Service 4 (UI App 2)
4 Private Subnets → RDS Multi-AZ
├── Master (write)
├── Standby (automatic failover)
├── Read Replica 1
└── Read Replica 2
Resources created:
- VPC with 4 private subnets across multiple AZs
- Application Load Balancer with 4 listener rules and target groups
- ECS Fargate Cluster with 4 services (2 backend + 2 UI)
- ECS Task Definition with IAM execution role
- RDS instance: master + 1 standby + 2 read replicas (configurable: Oracle/PostgreSQL)
- Security groups for ECS tasks and RDS (principle of least privilege)
- IAM role for ECS task execution (ECR pull + CloudWatch logs)
Configurable parameters:
DBEngine: oracle-ee | postgres
DBInstanceClass: db.t3.small (adjustable)
DBMultiAZ: trueDeploy:
aws cloudformation create-stack \
--stack-name prod-infra \
--template-body file://Prod_aws_infra \
--capabilities CAPABILITY_IAM \
--region ap-south-1Enterprise-grade Aurora PostgreSQL cluster with security, monitoring, and compliance features enabled.
Architecture:
Aurora Cluster
├── Primary Instance (read/write) ap-south-1a
└── Replica Instance (read-only) ap-south-1b
│
KMS Encryption at rest
Secrets Manager (credentials)
Enhanced Monitoring (60s intervals)
CloudWatch Logs (postgresql, upgrade)
30-day automated backups
Key features:
- Multi-AZ: Primary + replica across availability zones — automatic failover
- KMS encryption: All data encrypted at rest with customer-managed key
- AWS Secrets Manager: Database credentials auto-rotated, never stored in plaintext
- Enhanced Monitoring: IAM role for fine-grained OS-level metrics
- Custom Parameter Group:
pgaudit(audit logging) +pg_stat_statements(query performance) enabled - VPC Endpoints: Secure access without internet exposure
- Backup: 30-day retention for point-in-time recovery
Deploy:
aws cloudformation create-stack \
--stack-name aurora-postgresql \
--template-body file://RDS_Aurora_Postgresql \
--capabilities CAPABILITY_IAM \
--region ap-south-1Connect after deployment:
# Get connection details from Secrets Manager
aws secretsmanager get-secret-value \
--secret-id aurora-postgresql-secret \
--region ap-south-1
# Connect via psql
psql -h <cluster-endpoint> -U <username> -d postgresAutomates database migration with minimal downtime using AWS DMS with full-load and Change Data Capture (CDC) support.
Migration modes:
| Mode | Use Case |
|---|---|
full-load |
One-time migration of all existing data |
cdc |
Continuous replication of ongoing changes |
full-load-and-cdc |
Migrate existing data AND replicate new changes (zero-downtime migration) |
Supported database engines:
- Source: Oracle, MySQL, PostgreSQL, Microsoft SQL Server, MariaDB, MongoDB
- Target: Oracle, MySQL, PostgreSQL, Microsoft SQL Server, MariaDB, Aurora
Resources created:
- DMS Replication Instance (configurable instance class)
- Replication Subnet Group (uses existing private subnets)
- Source Endpoint (existing database connection)
- Target Endpoint (new database connection)
- Replication Task with table mapping rules
- Security group allowing DMS to reach RDS on port 3306
- KMS encryption for data in transit
Table mapping example (included in template):
{
"rules": [{
"rule-type": "selection",
"rule-id": "1",
"rule-name": "select-all",
"object-locator": {
"schema-name": "%",
"table-name": "%"
},
"rule-action": "include"
}]
}Deploy:
aws cloudformation create-stack \
--stack-name db-migration \
--template-body file://DMS \
--region ap-south-1
# Start the replication task after stack creation
aws dms start-replication-task \
--replication-task-arn <task-arn> \
--start-replication-task-type start-replication \
--region ap-south-1A lightweight development/proof-of-concept environment modeled after production but simplified for lower cost.
Architecture:
Internet → ALB (HTTPS with ACM Certificate)
├── Host: ui.example.com → ECS Fargate (UI service)
└── Host: api.example.com → ECS Fargate (Backend service)
Private Subnet → Oracle RDS SE2 (oracle-se2)
Key differences from production:
- Single AZ deployment (cost-optimized for POC)
- Oracle SE2 engine (smaller licensing footprint)
- HTTPS enforced via ACM certificate with host-header-based routing
- 2 services instead of 4 (UI + Backend only)
HTTPS setup:
- ACM certificate attached to ALB HTTPS listener (port 443)
- Host-header routing: different subdomains route to different ECS services
- HTTP → HTTPS redirect configured
Deploy:
aws cloudformation create-stack \
--stack-name poc-infra \
--template-body file://pocdevinfra \
--capabilities CAPABILITY_IAM \
--region us-west-2| Feature | VPC | Prod_aws_infra | Aurora PG | DMS | POC |
|---|---|---|---|---|---|
| Multi-AZ | Yes | Yes | Yes | N/A | No |
| Encryption at rest | N/A | Optional | KMS | KMS | No |
| Secrets Manager | No | No | Yes | No | No |
| Container compute | No | ECS Fargate | No | No | ECS Fargate |
| Load balancer | No | ALB | No | No | ALB + ACM |
| DB engine | N/A | Oracle/PG | Aurora PG | Any | Oracle SE2 |
| Region | ap-south-1 | ap-south-1 | ap-south-1 | ap-south-1 | us-west-2 |
- VPC Endpoints: ECR, S3, SSM, CloudWatch Logs accessed without leaving AWS network
- Private subnets: Databases never placed in public subnets
- Security group chaining: ECS tasks reference each other's SGs (not IP ranges)
- IAM least privilege: ECS execution role has only ECR pull + CloudWatch write
- KMS encryption: Aurora data encrypted at rest with customer-managed KMS key
- Secrets Manager: Database passwords never hardcoded, auto-rotated
- Enhanced monitoring: Real-time OS metrics on RDS with dedicated IAM role
# AWS CLI configured with appropriate permissions
aws configure
# Permissions needed:
# cloudformation:*
# ec2:*
# rds:*
# ecs:*
# iam:PassRole, iam:CreateRole, iam:AttachRolePolicy
# kms:*
# secretsmanager:*
# dms:*