Architecture overview - Workload Discovery on AWS
Architecture diagram

Architecture overview

This section provides a reference implementation architecture diagram for the components deployed with this solution.

Architecture diagram

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.

Workload Discovery on AWS architecture.

Workload Discovery on AWS architecture

The high-level process flow for the solution components deployed with the AWS CloudFormation template is as follows:

  1. HTTP Strict-Transport-Security (HSTS) adds security headers to each response from the Amazon CloudFront distribution.

  2. An Amazon Simple Storage Service (Amazon S3) bucket hosts the web UI, which is distributed with Amazon CloudFront. Amazon Cognito authenticates user access to the web UI.

  3. AWS WAF protects the AppSync API from common exploits and bots that can affect availability, compromise security, or consume excessive resources.

  4. AWS AppSync endpoints allow the web UI component to request resource relationship data, query costs, import new AWS Regions, and update preferences. AWS AppSync also allows the discovery component to store persistent data in the solution’s databases.

  5. AWS AppSync uses JSON Web Tokens (JWTs) provisioned by Amazon Cognito to authenticate each request.

  6. The Settings AWS Lambda  function persists imported Regions and other configurations to Amazon DynamoDB.

  7. The solution deploys AWS Amplify and an Amazon S3 bucket as the storage management component to store user preferences and saved architecture diagrams. 

  8. The data component uses the Gremlin Resolver AWS Lambda function to query and return data from an Amazon Neptune database.

  9. The data component uses the Search Resolver Lambda function to query and persist resource data into an Amazon OpenSearch Service domain.

  10. The Cost Lambda function uses Amazon Athena to query AWS Cost and Usage Reports (AWS CUR) to provide estimated cost data to the web UI.

  11. Amazon Athena runs queries on AWS CUR.

  12. AWS CUR delivers the reports to the CostAndUsageReportBucket Amazon S3 bucket. 

  13. The Cost Lambda function stores the Amazon Athena results in the AthenaResultsBucket Amazon S3 bucket.

  14. AWS CodeBuildbuilds the discovery component container image in the image deployment component.

  15. Amazon Elastic Container Registry (Amazon ECR) contains a Docker image provided by the image deployment component. 

  16. Amazon Elastic Container Service (Amazon ECS) manages the AWS Fargate task and provides the configuration required to run the task. AWS Fargate runs a container task every 15 minutes to refresh inventory and resource data.

  17. AWS Config and  AWS SDK calls help the discovery component maintain an inventory of resource data from imported Regions, then store its results in the data component.

  18. The AWS Fargate task persists the results of the AWS Config and AWS SDK calls into an Amazon Neptune database and an Amazon OpenSearch Service domain with API calls to the AppSync API.