Production-grade Kubernetes microservices architecture on AWS EKS, with CI/CD, monitoring, and SRE automation.
Internet → ALB → Frontend (Node.js)
↓
API Gateway (Node.js)
↓
Backend Service (Node.js)
- Compute: AWS EKS 1.34 (Spot instances)
- Container Registry: Amazon ECR
- Monitoring: Prometheus + Grafana
- CI/CD: GitHub Actions
- IaC: Terraform
- Security: IMDSv2, IRSA, Network Policies, Non-root containers, ECR image scanning
├── terraform/ # Infrastructure as Code
├── microservices/ # Application source code
│ ├── frontend/ # Web UI (Express + HTML)
│ ├── api-gateway/ # API routing & aggregation
│ └── backend-service/# Business logic & data
├── k8s/ # Kubernetes manifests
└── .github/workflows/ # CI/CD pipelines
| Service | Port | Description |
|---|---|---|
| frontend | 3002 | Web UI, serves HTML, proxies API calls |
| api-gateway | 3001 | Routes requests, aggregates health checks |
| backend-service | 3000 | Product catalog API, business logic |
- AWS CLI configured
- Terraform >= 1.5
- kubectl
- Docker
cd terraform
terraform init
terraform plan
terraform apply# Login to ECR
aws ecr get-login-password --region ap-southeast-1 | docker login --username AWS --password-stdin <account-id>.dkr.ecr.ap-southeast-1.amazonaws.com
# Build & push
docker build -t <ecr-url>/backend-service:v1.0.0 microservices/backend-service/
docker push <ecr-url>/backend-service:v1.0.0
# Deploy to EKS
kubectl apply -f k8s/microservices.yaml- Grafana: Available via LoadBalancer (namespace: monitoring)
- Prometheus: Scrapes
/metricsfrom all services - Alertmanager: Configured for alerting
- EKS secrets encrypted at rest
- Worker nodes in private subnets
- IMDSv2 enforced (prevents SSRF credential theft)
- IRSA for pod-level IAM (no shared node credentials)
- ECR immutable tags + scan on push
- Network policies restrict pod-to-pod traffic
- Non-root containers
Abdul Hakim — Cloud/DevOps Engineer