Skip to content

Networking & Security

Development Environment

The development environment uses a multi-tier architecture with distinct networking components designed for development and testing purposes.

Public-Facing Components

  • Admin Dashboard: The entry point for administrative functions
  • AWS Cognito: Handles authentication and user management
  • Bedrock: Provides AI model services
  • Secrets Manager: Manages sensitive configuration and credentials
  • SES: Handles email services
  • Stripe: Manages payment processing

Core Services

The core services are organized into a public subnet containing:

  1. Bot Frontend: The main user interface component
  2. API Layers:
    • Primary API Gateway for bot management
    • AI Engine API Gateway for AI-related operations
    • Admin API Gateway for administrative functions

Service Communication

The network architecture facilitates several key communication paths:

  1. Administrative Operations:

    • Admin Dashboard → API Gateway → Admin API for managing RAG and recordings
    • Authentication flow through Cognito integration

  2. User Interactions:

    • Bot Frontend → API Gateway → AI Engine for creating calls and transcriptions
    • Direct WebRTC call connections to Ultravox
    • AI Engine → API Gateway → Post Session handling

  3. Deployment Pipeline:

    • CodePipeline → ECR (docker) for containerized deployments

  4. Data Storage:

    • RDS integration for persistent storage
    • Secure connections to various AWS services (Bedrock, SES, Secrets Manager)

Security Considerations

  • All service-to-service communication happens within the AWS infrastructure
  • Authentication and authorization are handled by AWS Cognito
  • Sensitive keys is managed through AWS Secrets Manager and Lambda environment variables

Integration Points

  1. Payment Processing:

    • Secure integration with Stripe for payment handling
    • Payment flows are managed through dedicated API endpoints

  2. Communication Services:

    • Integration with Ultravox for WebRTC call handling
    • SES for email communications

  3. AI Services:

    • Direct integration with AWS Bedrock for AI model access
    • Custom AI Engine API Gateway for specialized AI operations with Ultravox API and Bedrock

Production Environment

Note: Proposed, yet to be implemented.

The production environment implements a more sophisticated and security-hardened architecture compared to the development environment, with clear separation of public and private resources.

Network Segmentation

Public Subnet

Contains publicly accessible components and entry points:

  • Admin Dashboard: Administrative interface
  • Bot Frontend: User-facing interface
  • Amplify Applications: Hosts the frontend applications

Private Subnets

Implements defense in depth with multiple private subnets for different service layers:

  1. API Layer Private Subnet

    • Houses API Gateways behind WAF (Web Application Firewall)
    • Implements strict access controls and traffic monitoring
    • Segregates different API types (Admin, AI Engine, Post Session)

  2. Service Layer Private Subnet

    • Contains core backend services
    • Hosts Ultravox for WebRTC communication
    • Restricted access from public internet

  3. Data Layer Private Subnet

    • Houses RDS instances
    • Implements strict access controls
    • Only accessible from authorized service components

Security Enhancements

  1. WAF Implementation

    • Deployed in front of all API Gateways
    • Protects against common web exploits
    • Implements rate limiting and request filtering
    • Advanced threat detection and prevention

  2. Access Control

    • AWS Cognito for robust authentication
    • Fine-grained IAM roles and policies
    • Network ACLs and Security Groups at each layer
    • Principle of least privilege enforcement

  3. Data Protection

    • Secrets Manager for sensitive data
    • Encryption at rest and in transit
    • Private subnet isolation for databases
    • Secure key management through AWS KMS

Service Communication Flows

  1. Frontend to Backend Communication User/Admin → Amplify Frontend → WAF → API Gateway → Private Services

  2. Administrative Operations Admin Dashboard → WAF → API Gateway → Admin API (Private Subnet) → Resources

  3. AI Operations Bot Frontend → WAF → API Gateway → AI Engine (Private Subnet) → Bedrock

AWS Service Integration

  1. Core AWS Services

    • Cognito: User authentication and authorization
    • Bedrock: AI model integration
    • SES: Email service (accessed via private subnet)
    • Secrets Manager: Secure configuration storage

  2. Deployment Pipeline

    • CodePipeline in private subnet
    • ECR for Docker image storage
    • Secure artifact storage and deployment

  3. Monitoring and Logging

    • CloudWatch integration
    • VPC Flow Logs
    • WAF logs
    • API Gateway access logs

Key Differences from Development

  1. Security Layers

    • Addition of WAF for API protection
    • Strict subnet segregation
    • Enhanced network isolation

  2. Network Architecture

    • Multiple private subnets vs single public subnet
    • Controlled egress/ingress through NAT Gateways
    • Load balancing for high availability

  3. Service Placement

    • Services moved to private subnets
    • Public-facing components limited to API gateways and WAF
    • Database tier completely isolated

Best Practices Implemented

  1. Network Security

    • Defense in depth with multiple security layers
    • Network segmentation and isolation
    • Encrypted communication channels

  2. Access Management

    • Zero-trust network model
    • Role-based access control
    • Regular security audits and monitoring

  3. Scalability

    • Horizontal scaling capabilities
    • Load balancing across services
    • Auto-scaling groups implementation
    • Serverless

  4. Monitoring and Maintenance

    • Comprehensive logging with Cloudwatch Logs
    • Performance monitoring
    • Automated backup and recovery procedures with S3 / warm standbys