FAQ's

AWS Deep Dive

What does Coherence do with my AWS cloud account?

  • Depending on the coherence.yml provided, various resources will be deployed into your AWS account.
  • You always have the option to delete the entire infrastructure with one click in your Coherence app's settings page.
  • The estimated cost for resources is described here.

By default, we will deploy your application in us-east-1 but we can change that on our side, just let us know if you'd like to deploy to another region.

Coherence deploys your production environment into a separate AWS account, so you will have a second set of many of the resources below if you configure a production environment in your application.

Resources Used

Networking

  • A unique VPC is configured for each application. Multiple services in one application share a VPC.
    • Each VPC has both a public and private subnet. ECS nodes are provisioned on the private subnet and use a NAT Gateway to route traffic to the rest of the network or to the internet.
  • Route53 is used for DNS.
    • By default, a subdomain of coherencesites.com is allocated to each application, and we point the NS records for that subdomain in our DNS provider at the NS records for the Route53 Zone in your account.
    • Custom domains (per-environment) are also supported, in which case you will designate NS records to Route53 directly from your own DNS provider.
  • ACM Certificates are used for secure HTTPS connections.
  • ALB and ALB Listener are used for routing traffic to the backend services deployed on ECS. ALB Target Group is used to map to ECS services and manage health checks.
  • CloudFront distributions are used for content delivery of frontend services hosted on S3. They are also used for traffic routing in backend services, but CDN functionality is not enabled by default for backend service types.

Build & Deploy

  • CodeBuild is used for building container images, running build steps such as asset compiling and testing the backend and frontend services, and is also used to manage ECS tasks spawned from the build to execute jobs like seeding or database migration.
  • CodePipeline is used for continuous integration and deployment of the services.

Data Storage

Each AWS environment in Coherence gets a unique RDS instance. It also gets its own memorystore instance. For production, you also have the option to provide the name of an existing RDS instance and we will configure your app to use that instance. Generally we recommend this as a best practice. See the coherence.yml docs for more details.

Aurora & Dynamo

Our future roadmap includes support for Aurora databases as well as DynamoDB tables, talk to us to learn more about beta testing these resource types!

  • S3 is used in 2 ways.
    • Storing the enriched source code that coherence uploads to AWS each time you push to an environment (A shallow clone of your repo plus our generated configuration files).
    • When you configure an object storage resource type in coherence.yml for a service. In this case, we also add appropriate IAM permissions to the service's IAM role and inject the bucket name via environment variables.
  • RDS DB Instance is used for the database of the application. RDS Proxy is used for supported Postgres versions in order to pool connections. Backups & high availability are not configured by default and the instance type is a micro - changing these in the UI or with the CLI will not be treated as drift.
  • ElastiCache is used to provide managed redis instances to the application.

Container Orchestration

  • ECS Fargate Cluster and Task Definitions are used for running the backend services, including scheduled tasks (cron) and private workers. Spot instances are automatically used for PR preview environments.
  • App Autoscaling Policy and Target are used for automatic scaling of backend services on ECS.

Observability & Monitoring

  • CloudWatch Log Group and Metric Alarm are used for monitoring and logging of the backend services. Metric alarms are used for ECS autoscaling rules.

Security & Configuration

  • Secrets Manager is used to store Environment Variables.
  • IAM Role and Policy are used for providing permissions to the services. Distinct identities are provisioned with minimum permissions for different app components, such as building, deploying, and executing the application.
  • Workload Identities are used to assume app service accounts as needed without ever touching a key file.
  • EC2 is used to provide a bastion host so that external connectivity to resources in the VPC is possible, from either your local network or Coherence's toolboxes.

Diagram

AWS Infra Diagram

Previous
What is required to migrate my app?