AWS
This section covers everything you need to deploy, operate, and debug Vega on AWS. If you're new to AWS, each service is explained the first time it appears.
How to use this section
| Goal | Start here |
|---|---|
| Understand how Vega is deployed | Vega on AWS |
| Make infrastructure changes | Terraform |
| Deploy a new version of the code | Operations Runbooks |
| Debug a broken deployment | Debugging |
| Control cloud costs | Cost and Safety |
The three-layer model
Think of AWS Vega as three layers:
┌─────────────────────────────────────────────────┐
│ EDGE LAYER │
│ CloudFront · S3 frontend bucket · Cognito │
│ What users interact with directly │
└─────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────┐
│ APPLICATION LAYER │
│ vega-api · vega-worker · vega-llm-proxy │
│ ECS Fargate containers in a private VPC │
└─────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────┐
│ DATA LAYER │
│ Postgres (RDS) · S3 buckets · SQS · Secrets │
│ Durable state that survives container restarts │
└─────────────────────────────────────────────────┘
AWS services Vega uses
| AWS service | What Vega uses it for |
|---|---|
| CloudFront | CDN that serves the frontend and routes /v1/* to the API |
| S3 | Frontend static files, source snapshots, scan artifacts, exports |
| ECS Fargate | Runs all backend containers without managing EC2 servers |
| RDS / Aurora | Managed Postgres for structured metadata |
| SQS | Queue that carries scan jobs from the API to workers |
| Cognito | Managed user authentication and JWT issuance |
| Secrets Manager | Encrypted storage for database credentials, API keys, etc. |
| CloudWatch | Logs, metrics, and alarms for all services |
| ECR | Docker image registry (ECS pulls images from here) |
| VPC / Subnets / Security Groups | Private networking and firewall rules |
| ALB | Load balancer that routes HTTP traffic to the API ECS service |