Secure Payment Processing — AWS Architecture

↗ Click a flow step to highlight the request path

Select a flow step above to trace the request path through the architecture. Hover over any component to see its details.

📊

CloudWatch

Logs · Metrics · Alarms

👤

Users / Clients

Web · Mobile · HTTPS

──▶

🌐

Internet Gateway

igw-tannu

──▶

⚖️

Application Load Balancer

HTTPS :443 · alb-sg · Public Subnets AZ1 + AZ2

🔒 alb-sg: HTTPS from 0.0.0.0/0

🏗 tannu-vpc — 10.0.0.0/16

SSH from My IP only

🖥

Bastion Host

EC2 · Public Subnet · SSH :22

🔒 bastion-sg

Availability Zone 1 — eu-north-1a

Public Subnet

10.0.1.0/24

⚖️

ALB Node

10.0.1.x

Private App Subnet

10.0.3.0/24

🖥

EC2 Backend

Auto Scaling · HTTP :80 from ALB · SSH :22 from Bastion

🔒 ec2-sg

Private DB Subnet

10.0.5.0/24

🗄

RDS Primary

MySQL/PostgreSQL · Multi-AZ

🔒 db-sg

Availability Zone 2 — eu-north-1b

Public Subnet

10.0.2.0/24

⚖️

ALB Node

10.0.2.x

Private App Subnet

10.0.4.0/24

🖥

EC2 Backend

Auto Scaling · HTTP :80 from ALB · SSH :22 from Bastion

🔒 ec2-sg

Private DB Subnet

10.0.6.0/24

🗄

RDS Standby

MySQL/PostgreSQL · Multi-AZ Replica

🔒 db-sg

Incoming Traffic (HTTPS)

Internal App Traffic (HTTP)

Database Traffic (TCP)

Response Flow (HTTPS)

Public Subnet

Private Subnet

DB Subnet

🔒 Security Group Rules

alb-sg

✅ Inbound: HTTPS :443 from 0.0.0.0/0

✅ Inbound: HTTP :80 from 0.0.0.0/0 (redirect)

→ Outbound: HTTP :80 to ec2-sg

ec2-sg

✅ Inbound: HTTP :80 from alb-sg only

✅ Inbound: SSH :22 from bastion-sg only

→ Outbound: DB port to db-sg

db-sg

✅ Inbound: :3306/:5432 from ec2-sg only

🚫 No public internet access

→ Isolated in private DB subnet

bastion-sg

✅ Inbound: SSH :22 from My IP only

🚫 No other inbound allowed

→ Outbound: SSH :22 to ec2-sg