Cityworks AWS Production Network Architecture
About This Architecture
Cityworks production network on AWS spans three architectural layers—core, distribution, and access—with an internet-facing Application Load Balancer routing traffic through a Transit Gateway to on-premises infrastructure. The VPC (10.0.0.0/16) distributes workloads across two availability zones: public subnets host a bastion, PowerBI gateway, and public works queries server, while private subnets isolate SQL Server and PostgreSQL RDS instances with Multi-AZ standby replicas. Security is enforced via layered security groups (BastionSecurityGroup, ServerSecurityGroup, UserManagerDBSg, EFSSecurityGroup), GuardDuty threat detection, and VPC endpoints, with S3 backup buckets and access logging for compliance. This architecture demonstrates high-availability hybrid cloud design with clear blast radius isolation and cross-AZ failover. Fork and customize this diagram on Diagrams.so to adapt the Transit Gateway attachment, subnet CIDR ranges, or instance types for your own production environment.
People also ask
How do you design a production AWS network with on-premises hybrid connectivity, Multi-AZ database failover, and security group isolation?
Cityworks' architecture uses a Transit Gateway to bridge on-premises and AWS, an internet-facing ALB in public subnets for ingress, private subnets for RDS Multi-AZ instances (SQL Server and PostgreSQL), and layered security groups (BastionSecurityGroup, ServerSecurityGroup, UserManagerDBSg) to enforce least-privilege access. GuardDuty and CloudWatch provide threat detection and monitoring across
- Domain:
- Cloud Aws
- Audience:
- AWS solutions architects designing multi-tier production networks with hybrid connectivity
Generated by Diagrams.so — AI architecture diagram generator with native Draw.io output. Fork this diagram, remix it, or download as .drawio, PNG, or SVG.
