A new standard for architecture
The Reference Architecture is an opinionated, battle-tested, best-practices way to assemble the code from the Infrastructure as Code Library into an end-to-end tech stack that includes just about everything you need: server cluster, load balancer, database, cache, network topology, monitoring, alerting, CI/CD, secrets management, VPN, and more (check out the Production Readiness Checklist to see what it takes to go to prod).
We customize the Reference Architecture to your needs, deploy into your AWS or GCP accounts, and give you 100% of the code. The whole process takes about one day for AWS! If you're interested in a Reference Architecture for GCP, Contact Us!
We also offer a CIS AWS Foundations Benchmark compliant version of the Reference Architecture. See our Compliance offering to learn more.
Get a Detailed Walkthrough of the Reference Architecture
See our blog post
How to Build an End to End Production-Grade Architecture on AWS.
An example AWS Reference Architecture. GCP Reference Architecture also
available.
How It Works
Choose your architecture options
You fill out an online web form to customize your Reference Architecture:
- Single Account or Multi-Account
- Region
- End-to-end encryption (as part of HIPAA, PCI, or other compliance programs)
- Run services on Docker using Kubernetes or ECS, or directly on EC2 Instances using ASGs
- PostgreSQL, MySQL, SQL Server, or other relational database
- Redis or Memcached
- CircleCI, Travis CI, or Jenkins
- Bastion Host or OpenVPN
- Static content storage and serving
- Serverless functions
- DNS, TLS
- Monitoring, Alerting, Log Aggregation
- Kafka, ZooKeeper, ELK, MongoDB, and many other options
We build your architecture
We translate your preferences into infrastructure code written in Terraform, Bash, Python, and Go. We put the code into your git repos and deploy it into your AWS or GCP account(s). For AWS, this takes about one day. For GCP, Contact Us!.
Learn how to use it
Use our DevOps Training Library to learn how to use your new architecture with a series of micro-videos that do an in-depth walkthrough of all the most common uses cases. Need to learn Terraform, Docker, or Packer? We have courses on those, too!
Get support
If you run into a snag, ask a question on our community support channel via Slack. Or sign up for Professional Support to chat directly with Gruntwork engineers via a private shared Slack channel or email, and guarantee a timely response.
Reference Architecture Features
Infrastructure as Code
Written in Terraform, Go, Python, and Bash. You get 100% of the code.
Production-ready
The architecture has been proven with 70+ Gruntwork customers.
Fast
Get a fully-working, best-practices tech stack in AWS in about one day!
Reliable
Designed for high availability, scalability, and durability
Secure
Network security, encryption, audit trail, server hardening, & more
Documented
Includes training videos and documentation
What's included
The Reference Architecture includes:
| Account configuration | Choose from a single or multi account/project setup where each account/project represents a distinct environment. |
|---|---|
| Network Topology | For each environment, create a VPC with multiple subnet tiers, route tables, NAT Gateways, Network ACLs, etc. |
| Server cluster | Choose from a Docker Cluster (backed by Amazon EC2 Container Service, Amazon EC2 Kubernetes Service, or Google Kubernetes Engine) or Auto Scaling Groups. |
| Load balancer | Choose your load balancer for distributing traffic across your server cluster. |
| Database | Choose a supported relational database, such as MySQL, PostgreSQL, MariaDB, Oracle, or SQL Server. |
| Cache | Choose a supported distributed cache, such as Redis or Memcached. |
| Other data stores | We have support for Kafka, ZooKeeper, MongoDB, ELK (Elasticsearch, Logstash, Kibana), SQS, Kinesis, and more. |
| Static content | Deploy your images, CSS, and JS into an S3 or GCS bucket and configure a CDN in front of it. |
| Bastion host | Choose from either a plain bastion host or an OpenVPN server as the sole entry point to your network. |
| CI server | Choose from Jenkins, CircleCI, or TravisCI. |
| Sample frontend app | A sample frontend application that shows how to package the code using Docker or Packer, how to manage configuration across multiple environments, how to store application secrets, how to do service discovery to talk to a backend app, and how to run the entire stack in the dev environment. |
| Sample backend app | A sample backend application that shows how to package the code using Docker or Packer, how to manage configuration across multiple environments, how to store application secrets, how to talk to the database and cache, and how to apply schema migrations. |
| Serverless | Optionally deploy serverless functions using Terraform. |
| Environments | Choose the isolated environments you want to create: e.g., dev, qa, stage, prod. |
|---|---|
| Encryption | Choose if you want to enable end-to-end encryption for all data at rest and in transit. Mandatory for compliance use-cases (e.g., HIPAA, PCI, SOX, etc). |
| Automated build & deployment (CI / CD) | Run a build after every commit to test your code, package it using Docker or Packer, and, for commits to certain branches or tags, automatically deploy that Docker or Packer image to specific environments. |
| Monitoring | Configure metrics in CloudWatch or StackDriver. |
| Alerting | Configure alerts on key metrics: e.g., high CPU usage on EC2 instances, too many 4xx or 5xx errors on load balancers, low disk space on your database. |
| Log aggregation | Configure all servers to send logs to a central location for easier searching and filtering. |
| DNS | Configure your domain name(s). |
| SSL/TLS | Create SSL/TLS certificates for your domain names. |
|---|---|
| Server hardening | Configure every server to run fail2ban and to automatically install critical security patches on a nightly basis. |
| SSH management | Install ssh-grunt on every server, which allows admins to grant or revoke SSH access using your identity provider (e.g., IAM, Google, Active Directory) and for each developer to be able to use their own username and SSH key to connect to servers. |
| Secrets management | Use KMS to securely encrypt and decrypt application secrets, such as database passwords. |
| Account security | Enable audit logging for all of your API calls. Create best practices IAM groups and policies for user and permissions management. |
| High Availability | All aspects of the architecture are designed for high availability: e.g., all servers are deployed across multiple Availability Zones; load balancers perform health checks and automatically replace failed servers; the load balancers themselves run multiple servers and do automatic failover; the database and cache can also do automatic failover to standby servers in another Availability Zone; data is automatically backed up on a nightly basis. |
|---|---|
| Scalability | All aspects of the architecture support easy vertical and horizontal scalability: e.g., you can use auto scaling policies to resize the server cluster in response to load; the load balancers will automatically scale up and down in response to load; you can configure read replicas for your database and cache. |
| Infrastructure as code | You get 100% of the source code for everything in the Reference Architecture. It is written using a variety of tools, including Terraform, Packer, Docker, Go, Python, and Bash. |
| Documentation | Comprehensive written and video documentation of everything included in the Reference Architecture. |
Read our blog post How to Build an End to End Production-Grade Architecture on AWS for an overview of what is included.
Pricing
Check out the Pricing page for details. Please note that to use the Reference Architecture, you must be a Gruntwork Subscriber.