/monorepo
DeploymentDeploy to AWS

Application Deployment

How applications are deployed using AWS App Runner and API Gateway.

We utilize a secure, private architecture where AWS App Runner services are not directly accessible from the internet. All traffic is routed through a regional API Gateway connected via private links.

Architecture

  1. API Gateway: The public entry point.
  2. VPC Link: Connects API Gateway to the private VPC.
  3. Network Load Balancer (NLB): Distributes traffic internally.
  4. VPC Endpoint: An interface endpoint for apprunner.requests.
  5. App Runner Service: The containerized application, accessible only via the VPC endpoint.

AWS App Runner

We use App Runner for a fully managed container experience.

  • Source: Code is pulled directly from the GitHub repository.
  • Runtime: Node.js 22.
  • Build Command: Installs dependencies and builds the NestJS application. 
    curl -fsSL https://get.pnpm.io/install.sh | sh - && export PATH=$HOME/.local/share/pnpm:$PATH && pnpm install --frozen-lockfile && pnpm run build --filter @monorepo/api && cp -R apps/api/src/i18n apps/api/dist/i18n
  • Start Command: Starts a specific worker script. 
    bash apps/api/scripts/start-worker.sh [worker-file]

App Runner Connection

To enable App Runner to pull code from your private GitHub repository, you must create a connection.

  1. Go to the AWS App Runner Console.
  2. Create a new service (you can cancel before finishing) or go to "Connections" if available.
  3. Choose Source Code Repository.
  4. Click Add New Connection.
  5. Authenticate with GitHub and install the AWS Connector app on your organization/repository.
  6. Once created, copy the Connection ARN.
  7. Add this ARN to your infra/aws/.env file: 
    APP_RUNNER_CONNECTION_ARN=arn:aws:apprunner:region:account:connection/name/id

Workers

The backend is split into multiple "workers" (microservices) to allow independent scaling and fault isolation.

  • Discovery: The infrastructure automatically finds worker entry points in apps/api/src/workers.
  • Routing: Each worker gets a dedicated path in the API Gateway.
  • Configuration:
    • Environment Variables: Injected from .env.workers and infrastructure outputs (DB host, etc.).
    • VPC Access: Workers can access the Aurora database and Redis cache via the VPC Connector.

API Gateway & WAF

The API Gateway is protected by AWS WAF (Web Application Firewall):

  • Rate Limiting: Limits requests per IP (default: 2000 per 5 mins).
  • Managed Rules:
    • AWSManagedRulesCommonRuleSet: Top 10 OWASP vulnerabilities.
    • AWSManagedRulesKnownBadInputsRuleSet: Common malicious patterns.

Database & Caching

Architecture of the persistence layer (Aurora & Valkey).

CI/CD

Continuous Integration and Deployment pipelines.

On this page

ArchitectureAWS App RunnerApp Runner ConnectionWorkersAPI Gateway & WAF