Architecting apurvad.xyz: A Systematic Review and Optimization

Current Architecture Audit

Infrastructure Overview

Account: 905436434621 | Region: us-east-1 | Monthly Cost: ~$59/mo

Current Stack (As-Built)

Compute

EC2: i-09f3d4fcaed6d4ecf

Type: t2.micro (1 vCPU, 1GB RAM)

OS: Amazon Linux 2023

Web Server: nginx 1.28.2

Cost: ~$8/mo

Networking

VPC: vpc-0db4a175a225bcf71

Subnet: subnet-0fd77d1d89338d67e (private)

EIP: 184.73.104.42

NAT Gateway: nat-081f5e98db91ed480

Cost: ~$32/mo

Security

Security Group: sg-03cf8c69f84bc0aa1

Rules: 80,443 from 0.0.0.0/0, 22 from single IP

IAM Role: webServerRole (SSM access)

CDN & Load Balancing

CloudFront: E10KUT961RPBCA

Domain: d278jfa5vguq7o.cloudfront.net

ALB: apurvad-xyz-alb-1394578021.us-east-1.elb.amazonaws.com

Cost: ~$16/mo

DNS & SSL

Route 53: Z099153621G9JWKOVT92M

Current: A record → EIP

ACM Cert: *.apurvad.xyz

Cost: ~$3/mo

Current Architecture Flow

User
apurvad.xyz

→

                        Route 53

                        A → EIP

→

EC2
nginx:80

CloudFront bypassed - HTTPS broken

What's Working Well

Solid Foundation: VPC with proper subnet isolation and security groups
SSL Certificate: Wildcard ACM certificate covers all subdomains
CDN Ready: CloudFront distribution configured and operational
Secure Access: SSM Session Manager eliminates need for bastion hosts
High Availability DNS: Route 53 provides 100% uptime SLA
Load Balancer: ALB provides health checks and SSL termination

Critical Issues & Gaps

CRITICAL: HTTPS Completely Broken

Issue: Route 53 A record points directly to EIP, completely bypassing CloudFront

Impact: No HTTPS, no HSTS, no caching, no DDoS protection, poor global performance

Risk: Modern browsers block HTTP, SEO penalties, security warnings

Cost Inefficiencies (~$48/mo wasted)

NAT Gateway ($32/mo): Expensive for single EC2 that could use VPC endpoints or public subnet
ALB ($16/mo): Over-engineered for single instance - CloudFront can origin directly to EC2
Total waste: $48/mo = $576/year

Performance & Reliability Risks

t2.micro Burstable Credits: Can throttle under sustained load
No Auto-Scaling: Single point of failure, no capacity management
No Health Monitoring: No automated recovery from instance failures
SSH Access: Port 22 open creates unnecessary attack surface

Observability Gaps

No Structured Logging: Basic CloudWatch logs only
No Application Metrics: No insight into nginx performance
No Access Logs: CloudFront logging disabled
No Alerting: No proactive monitoring or notifications

Optimized Architecture Design

Optimization Goals

Cost Reduction: $59/mo → $11/mo (81% savings) | Improved Security & Performance | Better Observability

Immediate Fixes (P0 - Deploy Today)

Fix HTTPS (5 minutes)

Change Route 53 A record: apurvad.xyz → ALIAS → CloudFront distribution

Result: Restores HTTPS, HSTS, global caching, DDoS protection

Remove SSH Attack Surface

Remove port 22 from security group - use SSM Session Manager exclusively

Result: Eliminates SSH brute force attacks, improves security posture

Cost Optimization (Saves $48/mo)

1. Eliminate NAT Gateway (-$32/mo)

Current: EC2 in private subnet → NAT Gateway → Internet

Optimized: EC2 in public subnet with EIP + VPC endpoints for AWS services

Network Architecture: Before vs After

Before ($32/mo)

EC2 (Private)

→

NAT Gateway

→

Internet

After ($0/mo)

EC2 (Public + EIP)

→

VPC Endpoints

→

AWS Services

2. Remove ALB (-$16/mo)

Current: CloudFront → ALB → EC2 (redundant load balancer for single instance)

Optimized: CloudFront → EC2 EIP:80 (direct origin)

Trade-off: Lose ALB health checks and easy horizontal scaling (acceptable for personal site)

Optimized Architecture Flow

User
apurvad.xyz

→

Route 53
ALIAS → CF

→

                        CloudFront

                        HTTPS + Cache

→

EC2
nginx:80

HTTPS restored, $48/mo saved, improved performance

Resilience Improvements

Compute Upgrade

t2.micro → t3.micro: Same price, better CPU credits, unlimited burst mode available
IMDSv2 Enforcement: HttpTokens=required for enhanced security
Instance Connect: Enable as backup to SSM Session Manager

Origin Failover

Primary Origin: EC2 EIP (dynamic content)
Secondary Origin: S3 static bucket E2LFGTWKQJW5D5 (failover)
Health Check: Route 53 monitors EC2 endpoint
Auto-Sync: SSM cron job syncs site files to S3

CloudFront Enhancements

Cache Behaviors:
- Static assets (*.css, *.js, /images/*): 24h TTL
- HTML content: Pass-through with short TTL
Security Headers: HSTS, X-Frame-Options, CSP, X-Content-Type-Options
Access Logging: Enable to S3 for analytics

Monitoring & Alerting

CloudWatch Alarms:
- CPU > 80% for 5 minutes → SNS notification
- Memory > 85% → SNS notification
- Disk usage > 90% → SNS notification
VPC Flow Logs: Network visibility to S3
Enhanced Monitoring: Detailed CloudWatch metrics

Advanced Security (Optional)

AWS WAF Integration

# WAF WebACL with managed rules
- AWSManagedRulesCommonRuleSet (OWASP Top 10)
- Rate limiting: 2000 requests/5min per IP
- Geographic restrictions if needed

Additional Hardening

CloudTrail: API logging for security auditing
Config Rules: Compliance monitoring
GuardDuty: Threat detection (if budget allows)

Future Scaling Path

When Traffic Grows

Phase 1: Re-introduce ALB + Auto Scaling Group (2-3 instances)
Phase 2: EC2 Image Builder for golden AMI automation
Phase 3: Containerize with ECS Fargate + ALB
Phase 4: Full serverless: Lambda + S3 + CloudFront (~$1/mo)

Implementation — Step-by-Step

Ready-to-Execute Commands

Execute in order for zero-downtime migration with immediate HTTPS restoration.

1. Fix Route 53 (Immediate HTTPS Restore)

# Change A record to ALIAS pointing to CloudFront
aws route53 change-resource-record-sets \
  --hosted-zone-id Z099153621G9JWKOVT92M \
  --change-batch '{
    "Changes": [{
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "apurvad.xyz",
        "Type": "A",
        "AliasTarget": {
          "HostedZoneId": "Z2FDTNDATAQYW2",
          "DNSName": "d278jfa5vguq7o.cloudfront.net",
          "EvaluateTargetHealth": false
        }
      }
    }]
  }'

2. Remove SSH Attack Surface

# Remove port 22 from security group
aws ec2 revoke-security-group-ingress \
  --group-id sg-03cf8c69f84bc0aa1 \
  --protocol tcp \
  --port 22 \
  --cidr 0.0.0.0/0

3. CloudWatch Monitoring

# Create SNS topic and CPU alarm
aws sns create-topic --name apurvad-alerts

aws cloudwatch put-metric-alarm \
  --alarm-name "apurvad-high-cpu" \
  --alarm-description "Alert when CPU exceeds 80%" \
  --metric-name CPUUtilization \
  --namespace AWS/EC2 \
  --statistic Average \
  --period 300 \
  --threshold 80 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 2 \
  --alarm-actions arn:aws:sns:us-east-1:905436434621:apurvad-alerts \
  --dimensions Name=InstanceId,Value=i-09f3d4fcaed6d4ecf

Architecture Comparison

Aspect	Current (Before)	Optimized (After)	Impact
Monthly Cost	$59/mo	$11/mo	81% reduction ($576/year saved)
HTTPS Status	❌ Broken	✅ Working + HSTS	Security compliance restored
Global Performance	Direct to EC2 (slow)	CloudFront CDN (fast)	50-80% faster load times globally
Security Posture	SSH exposed, no headers	SSM-only, security headers, WAF-ready	Significantly improved
Observability	Basic CloudWatch only	Structured logging, alerts, flow logs	Full visibility into performance
Resilience	Single point of failure	Origin failover to S3, health checks	99.9% → 99.99% uptime potential

Net Result

Cost: 81% reduction | Performance: 50-80% faster | Security: Significantly improved | Reliability: Higher uptime

Lessons & Reflections

The HTTPS Trap

Lesson: Having CloudFront configured doesn't mean it's being used. DNS is the final arbiter of traffic flow.

Impact: A single Route 53 misconfiguration broke HTTPS entirely, bypassing all CDN benefits.

Prevention: Always verify end-to-end flow: DNS → CDN → Origin. Test HTTPS after any DNS changes.

Cost vs Resilience Trade-offs

When ALB Makes Sense

Multiple instances: 2+ EC2 instances behind load balancer
Auto-scaling: Dynamic capacity based on demand
Health checks: Automatic failover between instances

When Direct CloudFront → EC2 Works

Single instance: Personal sites, small applications
Cost-sensitive: $16/mo savings significant for small projects
Simple architecture: Fewer components to manage

NAT Gateway Economics

At $32/mo, NAT Gateway costs 4x more than the EC2 instance it serves. For single-instance architectures, VPC Endpoints at $7/mo provide 78% savings.

Final Takeaway

Good architecture isn't about using every AWS service—it's about choosing the right services for your specific requirements, budget, and scale. Sometimes the best optimization is removing complexity, not adding it.