Portfolio

OVERVIEW

Infrastructure Architecture & System Flow

Web Architecture

A production-grade, server-side rendered application engineered for high availability, zero-downtime deployments, and edge-optimized delivery. Built to demonstrate absolute control over cloud infrastructure.

FrontendNext.js • TypeScript
CloudAWS EC2 • CloudFront • DynamoDB
NetworkVPC • Route 53 • Elastic IP
DevOpsDocker • GitHub Actions • SSM
IaCTerraform (AWS 6.x)
SecurityCognito • ACM • Prefix List SG
Booting Visualization Command Center...

Why This Architecture Matters

Technical decisions translated into real business outcomes.

SecurityZero-SSH / Secret Manager

Maximum security: Sensitive data is never exposed. Risk of traditional breaches is minimized via AWS Systems Manager and strictly defined IAM policies.

ReliabilityIaC (Terraform)

System stability: Entire environments can be replicated or restored instantly with absolute precision. Disaster recovery is built into the codebase.

PerformanceEdge Computing (CloudFront)

User experience: Optimized delivery with sub-millisecond response times globally. Static and dynamic assets are served from the closest edge location.

Cost & EfficiencyCI/CD Automation

Reduced overhead: Minimized manual intervention and server management time. Automated pipelines allow for continuous delivery and rapid iteration.

Zone 1: The Edge

Global Delivery

  • CloudFront: Custom cache policy whitelisting RSC, next-router-prefetch, and next-router-state-tree headers to prevent cache poisoning across App Router payloads.
  • Route 53: Origin isolation via origin.toey-sawatdee.me A-record pointing to Elastic IP, bypassing DNS loops for CloudFront-to-EC2 routing.
  • ACM: TLS 1.2+ enforced at the edge with SNI-only support, certificate sourced from us-east-1 for CloudFront compatibility.

Zone 2: Compute Core

AWS EC2 (t3.micro)

  • Security Group: Port 80 ingress locked to CloudFront managed prefix list only — no SSH, no direct IP access.
  • Docker: Full environment isolation, standalone Next.js output running on internal port 3000, mapped to host port 80.
  • Next.js SSR: Server-Side Rendering for dynamic routes with middleware-level authentication before page render.

Zone 3: Serverless Backend

Decoupled Microservices

  • Cognito: Identity management with JWT/SRP, securing all application routes.
  • Lambda: Asynchronous telemetry ingestion to preserve main compute performance.
  • DynamoDB: On-demand NoSQL storage for rapid network state tracking.

Zone 4: CI/CD Automation

Zero-SSH Deployment

  • Multi-stage Build: Optimized standalone output reducing container image size to ~69MB, pushed to GHCR.
  • GitHub Actions: Automated pipelines building Docker images and triggering deployment on every verified merge to main.
  • SSM RunCommand: Zero-SSH deployment — EC2 pulls GHCR token from SSM Parameter Store, no SSH keys exist on the server.

Zone 5: Infrastructure as Code

Terraform (AWS Provider 6.x)

  • VPC & Networking: Custom VPC (10.0.0.0/16), public subnet, Internet Gateway, and Elastic IP — all declared, versioned, and reproducible.
  • Launch Template: Amazon Linux 2023 AMI auto-resolved to latest, with IAM instance profile for SSM and Parameter Store access.
  • Immutable Infra: Entire stack — compute, CDN, DNS, IAM — managed as code. No manual console changes.