A production-grade platform built on AWS completely free using cost-optimization strategies and infrastructure best practices.
Build a real production platform for learning, demonstrating:
- β Infrastructure as Code (Terraform)
- β Cost Optimization ($0/month vs $505/year standard AWS)
- β Kubernetes Orchestration (K3s cluster)
- β Networking Best Practices (VPC, NAT, security groups)
- β Security Hardening (private subnets, Session Manager, flow logs)
- β Microservices Architecture (Go API, Worker, Redis)
- β CI/CD Pipeline (Docker, automated deployments)
- β Monitoring & Observability (Prometheus, Grafana, Loki)
Perfect for:
- π Learning DevOps/SRE practices
- π Small production workloads
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS VPC (10.0.0.0/16) β
β β
β Public Subnet Private Subnet β
β βββββββββββββββ βββββββββββββββ β
β β NAT Instanceβββββββββββββββββ K3s Master β β
β β (t2.micro) β β (t3.micro) β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ β
β β β β
β β βββββββββΌβββββββ β
β β β K3s Worker β β
β β β (t3.micro) β β
β β ββββββββ¬ββββββββ β
β β β β
β β βΌ β
β β ββββββββββββββββββ β
β β β Pods: β β
β β β β’ API Service β β
β β β β’ Worker β β
β β β β’ Redis β β
β β ββββββββββββββββββ β
β βΌ β
β Internet Gateway β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
Internet
| Component | Monthly Cost |
|---|---|
| NAT Gateway | $32.85 |
| Bastion Host (t2.micro) | $8.47 |
| K3s Master (t3.micro) | $7.59 |
| K3s Worker (t3.micro) | $7.59 |
| EBS Storage (40GB) | $4.00 |
| TOTAL | $60.50/month |
| Component | Monthly Cost |
|---|---|
| NAT Instance (t2.micro) | $0 (free tier) |
| Session Manager | $0 (no bastion) |
| K3s Master (t3.micro) | $0 (free tier) |
| K3s Worker (t3.micro) | $0 (free tier) |
| EBS Storage (30GB) | $0 (free tier) |
| TOTAL | $0/month β |
Annual Savings: $726 πΈ
# Required tools
terraform >= 1.0
aws-cli >= 2.0
kubectl >= 1.24
# AWS credentials configured
aws configure# Clone repository
git clone https://github.com/tasnimmizaoui/production-platform
cd production-platform
# Configure variables
cp infra/terraform/terraform.tfvars.example infra/terraform/terraform.tfvars
# Edit terraform.tfvars with your IP address
# Get your IP
curl ifconfig.me
# Deploy
cd infra/terraform
terraform init
terraform plan
terraform applyDeployment time: ~15-20 minutes β±οΈ
# Get kubeconfig
terraform output kubeconfig_command | bash > ~/.kube/config
# Verify cluster
kubectl get nodes
kubectl get pods -A
# Access K3s master
aws ssm start-session --target $(terraform output -raw k3s_master_id)production-platform/
βββ app/ # Application code
β βββ api-service/ # Go REST API
β βββ worker-service/ # Background workers
β βββ frontend/ # not set up yet
β
βββ infra/ # Infrastructure as Code
β βββ terraform/
β βββ main.tf # Root configuration
β βββ modules/
β β βββ vpc/ # VPC + NAT instance
β β βββ k3s/ # K3s cluster
β βββ terraform.tfvars # Your variables
β
βββ k8s/ # Kubernetes manifests
β βββ base/ # Base configs
β β βββ api/
β β βββ worker/
β β βββ redis/
β βββ overlays/ # Environment overlays
β βββ dev/
β βββ prod/
β
βββ monitoring/ # Observability stack
β βββ prometheus/
β βββ grafana/
β βββ loki/
β
β
βββ docs/ # Documentation
β
β
βββ scripts/ # Helper scripts
βββ deploy.sh
βββ test-deployment.sh
- VPC (10.0.0.0/16)
- Public & Private subnets
- Internet Gateway
- NAT Instance (free alternative to NAT Gateway)
- VPC Flow Logs (S3)
- S3 VPC Endpoint
- Verified: All connectivity tests passing
- K3s master node (t3.micro)
- K3s worker node (t3.micro)
- Redis (in-cluster pod)
- IAM roles & instance profiles
- Session Manager access
- Verified: 2/2 nodes Ready, pods running
- Deploy API service to K3s
- Deploy worker service
- Configure ingress
- Test end-to-end workflow
- GitHub Actions workflow
- Automated testing (Go tests)
- Docker image builds
- Kind cluster validation
- Automated deployments
- S3-backed Docker registry mirror
- Zero-egress network architecture
- Air-gapped cluster security
- Automated image synchronization
- β Private Subnets - No public IPs on workloads
- β NAT Instance - Controlled egress
- β Security Groups - Restrictive firewall rules
- β Network ACLs - Additional layer
- β VPC Flow Logs - Network monitoring
- β Session Manager - No SSH keys needed
- β Encrypted EBS - Data at rest encryption
- β IP Whitelisting - Access limited to your IP
Instead of AWS NAT Gateway ($32.85/month), we use a t2.micro instance:
# IP forwarding + iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEBenefits:
- $0 cost (free tier)
- Full control & debugging access
- Production-ready for small workloads
- Learning opportunity for NAT mechanics
Trade-offs:
- Single point of failure (no HA)
- Manual scaling required
- Limited throughput vs NAT Gateway
Real Implementation:
- β Verified working with K3s cluster
- β Internet access from private subnet confirmed
- β Health monitoring configured
- β $394/year savings vs NAT Gateway
Read Complete Implementation Guide β
No bastion host needed! Access instances via AWS Systems Manager:
aws ssm start-session --target i-0abc123def456Benefits:
- $0 cost
- No SSH keys to manage
- IAM-based authentication
- Session logging
Full Kubernetes experience with minimal overhead:
- 512MB RAM vs 2GB (standard K8s)
- Single binary installation
- Built-in storage, networking
- Perfect for learning & small workloads
- NAT Instance Implementation Guide - Complete NAT setup, troubleshooting, and verification
- VPC Module README - Networking architecture and configuration
- K3s Module README - Cluster setup and management
- Production Architecture - Full stack overview
# Verify NAT instance
aws ssm start-session --target $(terraform output -raw nat_instance_id)
cat /proc/sys/net/ipv4/ip_forward # Should be: 1
# Test K3s cluster
kubectl get nodes
kubectl get pods -A
# Test connectivity from private subnet
aws ssm start-session --target $(terraform output -raw k3s_master_id)
curl -I https://google.com # Should work via NAT
# Run deployment tests
./scripts/test-deployment.sh# Check source/dest check (must be false)
aws ec2 describe-instances --instance-ids <nat-id> \
--query 'Reservations[0].Instances[0].SourceDestCheck'
# Check iptables
aws ssm start-session --target <nat-id>
sudo iptables -t nat -L -n -vkubectl describe pod <pod-name>
kubectl logs <pod-name>
kubectl get events --sort-by=.metadata.creationTimestamp# From private instance
ip route
traceroute 8.8.8.8 # S
# Check NAT instance
aws ssm start-session --target <nat-id>
cat /proc/sys/net/ipv4/ip_forward # Must be: 1
sudo iptables -t nat -L POSTROUTING -n -v # Must show MASQUERADE ruleComplete Troubleshooting Guide β
- Module development
- State management
- Dependency management
- Count and conditionals
- VPC architecture
- NAT functionality
- Security groups vs NACLs
- VPC endpoints
- Cluster setup
- Pod networking
- Service discovery
- Storage management
- IP forwarding
- iptables/netfilter
- systemd services
- Shell scripting
- Infrastructure as Code
- Cost optimization
- Security hardening
- Monitoring/observability
- Phase 1: VPC networking with NAT instance
- Phase 2: K3s cluster deployment (2 nodes + Redis)
- Phase 3: Application deployment (API + Worker services) on local cluster
- Phase 4: CI/CD pipeline (GitHub Actions + Kind testing)
- Phase 5: VPC endpoints + Docker proxy (enterprise security)
- Phase 6: Monitoring stack (Prometheus, Grafana, Loki)
- Phase 7: Service mesh (Linkerd)
- Phase 8: Auto-scaling & high availability
Current Status: Infrastructure verified and working. Ready for application deployment! π
- K3s - Lightweight Kubernetes by Rancher
- Terraform - Infrastructure as Code by HashiCorp
- AWS - Cloud infrastructure
- Community - Best practices and inspiration
MIT License - Feel free to use this project for learning and portfolio purposes.