Production-Grade Mobile Backend on AWS ECS Fargate with Edge Security, CI/CD, and Private RDS
This architecture was designed for a mobile-first application requiring high availability, strong security boundaries, automated deployments, and the ability to scale seamlessly as user traffic grows. The system serves mobile clients built with Expo and distributed via App Store and Google Play.
The backend is fully containerized and runs on AWS Fargate with a managed relational database on Amazon RDS, fronted by Cloudflare and Amazon CloudFront for performance and protection.
The entire infrastructure is provisioned inside an Amazon VPC with strict subnet isolation.
TL;DR
- Mobile app built with React Native using Expo
- Containerized backend running on AWS Fargate
- Edge protection via Cloudflare + AWS Shield
- Static/media delivery through Amazon CloudFront + Amazon S3
- Secure database on Amazon RDS in a private subnet
- GitLab CI/CD → Docker → Amazon ECR → ECS deployment
- Mobile release pipeline to App Store and Google Play
Goals of the Architecture:
This design was built to achieve:
- Private networking for databases
- Serverless container management (no EC2 management)
- Zero-downtime CI/CD deployments
- Strong perimeter protection against attacks
- High performance content delivery
- Secure secret and configuration handling
- Easy horizontal scaling during traffic spikes
- Clean separation between public and private resources
High-Level Architecture
The request flow:
Mobile App → Cloudflare → CloudFront → ECS Fargate (App) → RDS (Private Subnet)
CI/CD flow:
Developer → GitLab Pipeline → ECR → ECS Fargate rolling deployment
Core Components
| Component | Purpose |
|---|---|
| Cloudflare | DNS, WAF, DDoS protection at the edge |
| Amazon CloudFront | CDN caching and TLS termination before AWS |
| Amazon S3 | Static assets and media storage |
| Amazon ECR | Docker image registry for deployments |
| AWS Fargate | Runs the containerized backend application |
| RDS | Managed relational database in private subnet |
| Security Groups | Strict traffic control between services |
| GitLab CI/CD | Automated build and deployment pipeline |
Networking & Traffic Flow
The architecture is built inside an Amazon VPC with two subnet tiers:
Public Subnet
- Hosts ECS Fargate tasks
- Receives traffic only from CloudFront
- No direct public database exposure
Private Subnet
- Hosts RDS
- Accepts traffic only from ECS Security Group
- Completely isolated from the internet
This ensures the database is never publicly reachable.
Data Layer & Persistence Design
- Amazon RDS deployed in private subnet
- Custom parameter group for query behavior
- Automated backups and snapshots.
- Amazon S3 used for media/file storage
- Application containers are stateless → safe to scale/redeploy anytime
Security Design
Multiple security layers are implemented:
- Cloudflare WAF and DDoS protection
- AWS Shield at AWS edge
- TLS end-to-end
- Security Groups allowing only required ports
- Private RDS subnet (no public IP)
- IAM roles for task permissions (no static credentials)
- Secrets passed securely to containers
CI/CD & Deployment Strategy
The deployment flow is fully automated:
- Developer pushes code
- GitLab pipeline builds Docker image
- Image pushed to Amazon ECR
- ECS service performs rolling update on AWS Fargate
- Zero downtime release
No manual server access is required.
Scalability & High Availability
- ECS Fargate auto-scales tasks based on load
- RDS supports Multi-AZ deployments
- Stateless containers allow unlimited horizontal scaling
- CloudFront caches heavy content globally
Key Learnings
- Serverless containers drastically reduce ops complexity
- Proper subnet design is the foundation of security
- CI/CD is critical for reliability at scale
- CDN + object storage is essential for media-heavy apps
- Stateless design makes scaling effortless