Skip to main content

AWS Integration

This document outlines how Ownstak deploys and manages your Next.js applications within your AWS infrastructure.

Architecture Overview

Ownstak uses a secure and scalable architecture that spans both Ownstak's AWS account and your AWS account. This hybrid approach ensures you retain full control of your applications and data while benefiting from Ownstak's management capabilities.

Infrastructure Components

Ownstak AWS Account

  • DNS Management: We provide a CNAME record *.<backend-slug>.<org-slug>.ownstak.link that points to the Application Load Balancer in your AWS account
  • This ensures seamless routing to your applications while giving you full control over the underlying infrastructure

Your AWS Account

Ownstak provisions and configures the following components in your AWS account:

Load Balancing

  • Application Load Balancer (ALB): Deployed in the public subnet
  • SSL Certificate: Automatically provisioned for *.<backend-slug>.<org-slug>.ownstak.link
  • HTTPS/HTTP Listeners: Properly configured for secure communication

Compute Resources

  • LambdaProxy ECS Cluster: Runs in the private subnet
    • ECS Tasks: Special tasks that efficiently route requests to the appropriate Lambda function
  • Lambda Functions: Each deployment of your Next.js application runs as a dedicated Lambda function
    • Each Lambda function is isolated in the private subnet for enhanced security
    • Named according to your project and environment (ownstak-<project-slug>-<env-slug>)

How Requests Are Routed

Client Request

When a user accesses your application at <project-slug>-<env-slug>-<deployment number>.<backend-slug>.<org-slug>.ownstak.link:

  1. DNS resolves to your ALB (via the CNAME in Ownstak's account)
  2. The ALB receives the request in your account's public subnet
  3. The request is forwarded to the LambdaProxy in the private subnet
  4. The LambdaProxy identifies the correct Lambda function: ownstak-<project-slug>-<env-slug> and invokes the version alias corresponding to the deployment number deployment-<deployment number>.
  5. The Lambda function processes the request and returns the response
  6. The response travels back through the same path to the user

This architecture ensures that your Next.js application runs entirely within your AWS account, with proper security boundaries and efficient request routing.

Upstream requests

When you function needs to make a call to an external request, your private subnet should route that request to the NAT Gateway. When using the default VPC it is internally handled by AWS using elastic IPs.

For information about the IAM roles and permissions required for this infrastructure, see the IAM Roles & Permissions documentation.