Complete GitOps Architecture - Phase 2
Production-Ready with Security, Monitoring, Compliance & DR
PHASE 2: PRODUCTION HARDENING
Built by Brian Uckert - Be-Digital.biz
Global Services & External Systems
Route 53
DNS + Health Checks
Failover Routing
CloudFront
CDN + WAF
Global Edge
ACM
SSL/TLS Certs
Auto Renewal
GitLab CI/CD
Pipeline
Source Control
Grafana Cloud
Metrics & Logs
Observability
PagerDuty
Incident Mgmt
On-Call
Datadog
APM (Optional)
Alternative
us-west-2
DR Region
Standby Cluster
AWS Region: us-east-2 (Primary)
Security & Compliance Services
GuardDuty
Threat
Detection
CloudTrail
Audit
Logging
AWS Config
Compliance
Tracking
Security Hub
Central
Dashboard
VPC Flow
Network
Logs
Inspector
Vuln Scan
Assessment
Backup & Disaster Recovery
Velero
K8s Backup
to S3
S3 Backups
Versioned
Cross-Region
RDS Snapshots
Automated
PITR Enabled
Backup Vault
Centralized
Management
VPC: gitops-prod-vpc (10.1.0.0/16)
WAF Protected
Internet
Gateway
DDoS Protection
Public Subnets (Multi-AZ)
HTTPS (443)
Application
Load Balancer
ACM Certificate
HA
NAT
Gateway A
us-east-2a
HA
NAT
Gateway B
us-east-2b
Private Subnets - EKS Cluster
EKS: gitops-prod (Auto-Scaling: 3-10 nodes)
Worker Nodes (HPA)
Application Pods:
java-app (3-10 replicas)
demo-app (3-10 replicas)
api-app (3-10 replicas)
GitOps:
ArgoCD
External Secrets Op
Monitoring:
Grafana Alloy Agents
Kube State Metrics
Node Exporter
Service Mesh & Policy
Istio / Linkerd
Kyverno Policies
Network Policies
Auto-Scaling & Control
Cluster Autoscaler
HPA Controllers
ALB Controller
AWS Managed Services
Multi-AZ HA
RDS Aurora
PostgreSQL
Read Replicas
ElastiCache
Redis Cluster
Session Store
Caching Layer
AWS Secrets Manager
+ KMS Encryption
Auto Rotation
IRSA Integration
S3 Buckets
Terraform State
Backups
DynamoDB
State Locking
Session Data
CloudWatch
Logs + Metrics
Alarms → PagerDuty
IAM
IRSA Roles
OIDC Provider
Cost Explorer
FinOps
Budget Alerts
Systems Manager
Parameter Store
Session Manager
AWS MANAGED - MULTI-AZ HA
EKS Control Plane
API Server • etcd • Scheduler
Controller Manager • Cloud Controller
Certificate Management
ACM: *.gitops-demo.com
cert-manager (Let's Encrypt)
Auto-renewal enabled
Data Flow Legend:
Internet Traffic (HTTPS)
Internal Application Traffic
AWS API Calls (IRSA)
Monitoring Data to Grafana Cloud
Cache Layer Traffic
Phase 2 Additions: HTTPS/TLS • RDS Aurora • ElastiCache • Auto-Scaling (HPA/CA) • WAF
Velero Backups • Service Mesh • Network Policies • GuardDuty • CloudTrail • Multi-Region DR
Built by Brian Uckert - Be-Digital.biz