Hands In Docs
Internal

Network Diagram

Get Markdown

Company Network Architecture Diagram

Infrastructure Overview

Your company operates a fully remote, cloud-native architecture built on AWS with multiple environments and sophisticated security protocols.

Network Architecture Diagram

graph TB
    %% Remote Team Access
    subgraph "Remote Team Access"
        RT1[Remote Developer 1]
        RT2[Remote Developer 2]
        RTN[Remote Team N...]
    end

    %% Internet Gateway & DNS
    subgraph "DNS & CDN Layer"
        R53[Route 53 DNS]
        CF[CloudFront CDN]
        CERT[AWS Certificate Manager]
    end

    %% Load Balancers & API Gateway
    subgraph "Load Balancing & API Gateway"
        ALB[Application Load Balancer<br/>HTTP/HTTPS]
        APIGW[API Gateway v2<br/>Lambda Proxy]
        NLBINT[Internal Network LB]
    end

    %% Core Infrastructure (Replicated across all environments)
    subgraph "AWS Infrastructure - eu-west-2"
        subgraph "VPC (Multi-AZ)"
            subgraph "Public Subnets (3 AZs)"
                NAT1[NAT Gateway AZ-1]
                NAT2[NAT Gateway AZ-2]
                NAT3[NAT Gateway AZ-3]
            end
            
            subgraph "Private Subnets (3 AZs)"
                subgraph "Application Services"
                    WEBAPP1[Dashboard Service<br/>Merchant Portal]
                    WEBAPP2[Checkout Service<br/>Payment Processing]
                    WEBAPP3[Demo Store Service<br/>Customer Interface]
                    WEBAPP4[SDK Service<br/>JavaScript Distribution]
                    WEBAPP5[Documentation Service<br/>API Docs & Guides]
                    API1[Core API Service<br/>Business Logic]
                    API2[Microservices<br/>Event Processing]
                    AUTH[Authentication Service<br/>Identity & Access]
                end
            end
            
            subgraph "Isolated Subnets (3 AZs)"
                subgraph "Database Tier"
                    DDB[DynamoDB<br/>Multi-Region]
                    POSTGRES[PostgreSQL RDS<br/>Multi-AZ]
                    MONGO[MongoDB Atlas]
                end
                
                subgraph "Message Queue"
                    MSK[Managed Kafka<br/>Multi-AZ]
                    SQS1[Jobs Queue]
                    SQS2[Merchant Webhook Queue]
                    SQS3[Dead Letter Queues]
                end
                
                subgraph "Storage"
                    S3MAIN[S3 Buckets<br/>KMS Encrypted]
                    S3STATIC[Static Assets Bucket]
                    S3SDK[SDK Files Bucket]
                end
            end
        end
    end

    %% External Integrations
    subgraph "External Service Integrations"
        subgraph "Payment Processors"
            STRIPE[Stripe API<br/>TLS 1.3]
            SQUARE[Square API<br/>TLS 1.3]
            SHUTTLE[Shuttle API<br/>TLS 1.3]
            BRIDGERPAY[BridgerPay API<br/>TLS 1.3]
            ASIAPAY[AsiaPay API<br/>TLS 1.3]
            PCIPROXY[PCI Proxy<br/>TLS 1.3]
        end
        
        subgraph "Communication Services"
            TWILIO[Twilio SMS/Voice<br/>TLS 1.3]
            SLACK[Slack Webhooks<br/>TLS 1.3]
            EMAIL[AWS SES<br/>DMARC/SPF/DKIM]
        end
        
        subgraph "Analytics & Monitoring"
            POSTHOG[PostHog Analytics<br/>TLS 1.3]
            HUBSPOT[HubSpot CRM<br/>TLS 1.3]
            MAILCHIMP[Mailchimp Marketing<br/>TLS 1.3]
        end
        
        subgraph "Authentication Providers"
            GOOGLE[Google OAuth<br/>TLS 1.3 + PKCE]
            MICROSOFT[Microsoft Azure AD<br/>TLS 1.3 + PKCE]
        end
        
        subgraph "Development Tools"
            README[ReadMe API Docs<br/>TLS 1.3]
            OPENEXCHANGE[Open Exchange Rates<br/>TLS 1.3]
        end
    end

    %% Security Components
    subgraph "Security & Compliance"
        subgraph "AWS Security Services"
            KMS[AWS KMS<br/>AES-256]
            SECRETS[AWS Secrets Manager<br/>Encrypted]
            IAM[AWS IAM Roles & Policies]
            SG[Security Groups<br/>Firewall Rules]
        end
        
        subgraph "Monitoring & Compliance"
            CW[CloudWatch Logs & Metrics]
            CT[CloudTrail Audit Logs]
            CONFIG[AWS Config Compliance]
            GUARD[GuardDuty Threat Detection]
        end
    end

    %% Mobile & Desktop Clients
    subgraph "Client Applications"
        MOBILE[Mobile App<br/>React Native]
        DESKTOP[Desktop App<br/>Electron]
        BROWSER[Web Browsers<br/>Modern Browsers]
    end

    %% Connections with Security Protocols
    RT1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Certificate Pinning| CF
    RT2 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Certificate Pinning| CF
    RTN --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Certificate Pinning| CF
    
    CF --> |DNS over HTTPS DoH<br/>DNSSEC| R53
    CF --> |HTTP/2<br/>TLS 1.3<br/>HSTS Header| ALB
    
    ALB --> |HTTP/1.1<br/>Internal TLS 1.2<br/>AES-256-CBC| WEBAPP1
    ALB --> |HTTP/1.1<br/>Internal TLS 1.2<br/>AES-256-CBC| WEBAPP2
    ALB --> |HTTP/1.1<br/>Internal TLS 1.2<br/>AES-256-CBC| WEBAPP3
    
    APIGW --> |AWS SigV4<br/>Internal TLS 1.2<br/>AES-256-GCM| API1
    APIGW --> |AWS SigV4<br/>Internal TLS 1.2<br/>AES-256-GCM| AUTH
    
    API1 --> |DynamoDB Protocol<br/>AES-256 KMS Encryption<br/>IAM SigV4| DDB
    API1 --> |PostgreSQL Protocol<br/>SSL/TLS 1.2<br/>AES-256 RDS Encryption| POSTGRES
    API1 --> |Kafka Protocol<br/>SASL/SCRAM-SHA-512<br/>TLS 1.2| MSK
    API2 --> |Kafka Protocol<br/>SASL/SCRAM-SHA-512<br/>TLS 1.2| MSK
    API2 --> |DynamoDB Protocol<br/>AES-256 KMS Encryption<br/>IAM SigV4| DDB
    
    AUTH --> |DynamoDB Protocol<br/>AES-256 KMS Encryption<br/>IAM SigV4| DDB
    AUTH --> |SQS Protocol<br/>AES-256 KMS Encryption<br/>IAM SigV4| SQS1
    AUTH --> |AWS Secrets Manager API<br/>AES-256 KMS Encryption<br/>IAM SigV4| SECRETS
    
    %% External Service Connections with Full Security Stack
    API1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Webhook Signature HMAC-SHA256| STRIPE
    API1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>OAuth 2.0 Bearer Token| SQUARE
    API1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>API Key + Signature| SHUTTLE
    API1 --> |HTTPS/TLS 1.3<br/>ChaCha20-Poly1305<br/>API Key Authentication| TWILIO
    
    WEBAPP1 --> |HTTPS/TLS 1.3<br/>OAuth 2.0 + PKCE<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>JWT RS256 Tokens| GOOGLE
    WEBAPP1 --> |HTTPS/TLS 1.3<br/>OAuth 2.0 + PKCE<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>JWT RS256 Tokens| MICROSOFT
    
    API1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Webhook HMAC-SHA256| BRIDGERPAY
    API1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Digital Signature Verification| ASIAPAY
    API1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Basic Auth + TLS Client Cert| PCIPROXY
    
    API1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Bearer Token Auth| POSTHOG
    API1 --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Private App Token| HUBSPOT
    
    %% Client Application Connections
    MOBILE --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Certificate Pinning<br/>App Attestation| CF
    DESKTOP --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>Certificate Pinning<br/>Code Signing Verification| CF
    BROWSER --> |HTTPS/TLS 1.3<br/>ECDHE-RSA-AES256-GCM-SHA384<br/>HSTS + CSP Headers| CF
    
    %% Internal Security Service Connections
    ALB --> |AWS Security Groups<br/>Stateful Firewall Rules<br/>Port-based Filtering| SG
    API1 --> |AWS IAM<br/>AssumeRole STS<br/>Temporary Credentials| IAM
    AUTH --> |AWS IAM<br/>AssumeRole STS<br/>Temporary Credentials| IAM
    S3MAIN --> |AWS KMS<br/>AES-256 Envelope Encryption<br/>CMK Rotation| KMS
    DDB --> |AWS KMS<br/>AES-256 Envelope Encryption<br/>CMK Rotation| KMS
    
    %% Email Security
    API1 --> |SMTP/TLS 1.2<br/>DKIM RSA-2048<br/>SPF Record Validation<br/>DMARC p=reject| EMAIL

Security Protocols & Encryption

Transport Layer Security

  • TLS 1.3 for all external API communications with forward secrecy
  • Cipher Suites: ECDHE-RSA-AES256-GCM-SHA384, ChaCha20-Poly1305
  • HTTPS enforced across all web applications with HSTS headers
  • Certificate Management via AWS Certificate Manager with auto-renewal
  • Certificate Pinning for mobile and desktop applications

Data Encryption

  • At Rest: AES-256 envelope encryption using AWS KMS with customer-managed keys
  • In Transit: TLS 1.3 for external, TLS 1.2+ for internal AWS services
  • Database Encryption:
    • DynamoDB with KMS encryption and key rotation
    • PostgreSQL RDS with AES-256 encryption
    • Kafka with SASL/SCRAM-SHA-512 authentication

Authentication & Authorization

  • OAuth 2.0 with PKCE for external identity providers (Google, Microsoft)
  • JWT Tokens with RS256 signing (RSA-2048 keys) for API authentication
  • AWS IAM Roles with least-privilege access and temporary credentials
  • Multi-Factor Authentication enforced for AWS console access
  • API Authentication: Bearer tokens, HMAC-SHA256 signatures, digital signatures

Network Security

  • VPC Security Groups acting as stateful firewalls with port-based filtering
  • NACLs for subnet-level network filtering
  • Private Subnets for all application and database tiers
  • NAT Gateways for secure outbound internet access
  • AWS WAF for application-layer protection

Message Security

  • Webhook Security: HMAC-SHA256 signature verification
  • Email Security: DKIM RSA-2048, SPF records, DMARC p=reject
  • Queue Encryption: SQS messages encrypted with KMS
  • Event Streaming: Kafka with TLS 1.2 and SASL authentication

Application Architecture

Frontend Applications

  • Dashboard: Next.js application for merchant management
  • Checkout: Payment processing interface
  • Demo Store: Customer-facing demo application
  • Mobile App: React Native cross-platform application
  • Desktop App: Electron-based desktop client

Backend Services

  • API Gateway: Serverless API routing and authentication
  • Core API Service: Business logic and data processing
  • Authentication Service: Identity management and access control
  • Microservices: Event processing and specialized functions
  • Blue/Green Deployments: Zero-downtime deployments with automated rollback

Data Layer

  • DynamoDB: NoSQL database for user sessions, auth, and payments
  • PostgreSQL RDS: Relational data with Multi-AZ deployment
  • MongoDB: Document store for specific use cases
  • Apache Kafka (MSK): Event streaming and message processing

Integration Layer

  • Payment Processors: Stripe, Square, Shuttle, BridgerPay, AsiaPay
  • Communication: Twilio (SMS/Voice), AWS SES (Email), Slack
  • Analytics: PostHog, HubSpot
  • Authentication: Google OAuth, Microsoft Azure AD

Deployment Environments

This entire architecture is replicated across multiple isolated environments:

Production

  • Region: eu-west-2 (London)
  • Multi-AZ: 3 Availability Zones
  • NAT Strategy: One per AZ for high availability
  • Retention: Resources retained on stack deletion
  • Domain: *.handsin.com

Staging

  • Region: eu-west-2 (London)
  • Multi-AZ: 3 Availability Zones
  • Purpose: Pre-production testing and validation
  • Domain: *.staging.handsin.com

Development

  • Region: eu-west-2 (London)
  • Single NAT: Cost-optimized configuration
  • Purpose: Development and integration testing
  • Domain: *.development.handsin.com

Sandbox

  • Region: eu-west-2 (London)
  • Purpose: Sandbox testing environment
  • Domain: *.sandbox.handsin.com

Local Development

  • Docker Compose: Local service orchestration
  • Port Mapping: Standardized ports across services
  • Hot Reload: Development productivity features
  • Domain: localhost with different ports

Monitoring & Observability

Application Monitoring

  • CloudWatch: Metrics, logs, and alarms
  • PostHog: User analytics and feature flags

Infrastructure Monitoring

  • CloudWatch: Infrastructure metrics and logs
  • AWS Config: Compliance and configuration monitoring
  • GuardDuty: Threat detection and security monitoring

Deployment Monitoring

  • CodeDeploy: Blue/green deployment monitoring
  • CloudWatch Alarms: Automated rollback triggers
  • SNS Notifications: Deployment status alerts

Remote Team Considerations

Access Patterns

  • Zero-Trust Architecture: All access through authenticated endpoints
  • VPN-Free: Direct internet access through CloudFront and ALB
  • Multi-Region: Disaster recovery and performance optimization

Development Workflow

  • GitOps: Infrastructure as Code with SST
  • CI/CD: Automated testing and deployment pipelines
  • Environment Parity: Consistent environments across stages

Security for Remote Work

  • IAM Roles: Granular permissions per team member
  • MFA Required: Multi-factor authentication enforced
  • Audit Logging: All access logged via CloudTrail
  • Secret Management: Centralized secrets via AWS Secrets Manager

This architecture provides a robust, secure, and scalable foundation for your fully remote team while maintaining high availability, security, and compliance standards.

On this page