Cloud Migration · 2025

Swiftcart

Monolith to event-driven AWS migration. Zero-trust dual-VPC + CQRS over SNS → SQS fan-out, Lambda (arm64) replacing EC2 polling, hardened with IAM instance profiles + CloudTrail.

Lambda
SNS
SQS
Transit Gateway
Private Link
EFS
EBS
CloudWatch
CloudTrail
Docker Compose

▸ Lab

TL;DR

Architected a Zero-Trust dual-VPC network (public DMZ + dark private subnet) with Transit Gateway and AWS PrivateLink, eliminating public internet exposure for all backend services.
Implemented CQRS over SNS → SQS fan-out: sync reads via Transit Gateway, async checkout via SNS publish to dual subscribers (email + SQS); decoupling the web tier from inventory with eventual consistency.
Migrated an EC2 polling daemon to event-driven Lambda (Graviton, SQS event-source mapping, partial-batch retry); containerized the web tier with Docker Compose over shared EFS + gp3 EBS, fronted by CloudFront multi-origin routing (S3 + ALB).
Hardened access with IAM instance profiles and zero long-lived keys (IMDS-rotated credentials), CloudTrail management-event auditing to S3, and a CloudWatch alarm on SQS depth ≥ 100 with SNS-triggered SRE email alerting.

The problem

A toy e-commerce stack is the easy part. One that runs backend services with zero public internet exposure, splits reads from writes so a slow checkout never blocks browsing, and acknowledges orders durably without coupling the web tier to inventory — that's where the AWS depth shows. Swiftcart is that exercise.

What's there

CQRS: the web tier publishes checkout events to SNS; an SQS-subscribed Lambda (arm64/Graviton) processes them with partial-batch retry. Reads stay synchronous over the Transit Gateway while writes return an immediate 202 Accepted.
Zero-trust network: a public DMZ VPC and a fully dark private VPC (no IGW/NAT). SNS/SQS reachable only via PrivateLink interface endpoints; EC2 uses IAM instance profiles — zero long-lived keys.
Edge + storage: one CloudFront distribution multiplexing an S3 static origin and a dynamic ALB origin; shared EFS for the web tier, XFS-on-gp3 EBS for the backend.
Built and verified in the AWS console (us-west-2), with per-domain design docs and screenshot evidence in the repo.