RRamainDocs
Infrastructure

AWS Reference Architecture

Overview of the on-premises AWS deployment for the Ramain platform.

Reference architecture for deploying Ramain into a customer's AWS account as a private, single-tenant installation.

AWS-native end to end. All components are AWS managed services or run on AWS compute. No third-party SaaS in the request path. All data, identity, and AI inference stay within the customer's AWS account.

Deployed via Ryvn. Infrastructure provisioning and application deployment are automated by Ryvn, a BYOC platform that deploys into customer AWS accounts.

Scope

Included: All compute, storage, networking, identity, and observability to run Ramain. Browser automation, AI inference, email, cache, and object storage via AWS managed services. Encryption at rest and in transit. Continuous deployment via Ryvn.

Out of scope: AWS account ownership, organization guardrails, cross-account audit/billing (customer-owned). Apex DNS (customer delegates one subdomain). Enterprise SSO (configured jointly during onboarding).

Capacity

The cloud-browser layer (Bedrock AgentCore Browser) and inference layer (Bedrock) are elastic and bill per second of active use. The fixed compute envelope (ECS/Fargate, RDS, and ElastiCache) can scale vertically or horizontally as usage grows without re-architecting.

Topology

Route 53 / delegated customer subdomain
platform.<customer>.com
        |
        v
+------------------------------------------------------------+
| Customer AWS Account                                       |
|                                                            |
|  Edge and static application                               |
|  +------------------------------------------------------+  |
|  | CloudFront CDN                                      |  |
|  | TLS / HTTP/2 / WSS                                  |  |
|  | serves app assets and routes API traffic             |  |
|  +--------------------+---------------------+-----------+  |
|                       |                     |              |
|                       v                     v              |
|  +----------------------+       +----------------------+   |
|  | S3 Static Assets     |       | Public ALB           |   |
|  | Ramain web app       |       | API / WSS origin     |   |
|  +----------------------+       +----------+-----------+   |
|                                            |               |
|                                                            |
|  Private subnet: application                               |
|  +----------------------+       +----------------------+   |
|  | API                  |       | Worker               |   |
|  | HTTP API / WSS/auth  |       | background workflows |   |
|  | ECS Fargate          |       | ECS Fargate          |   |
|  +----------+-----------+       +----------+-----------+   |
|             |                              |               |
|             | queues workflow jobs         | consumes jobs |
|             +--------------+---------------+               |
|                            v                               |
|  +------------------------------------------------------+  |
|  | Redis/Valkey Queue                                  |  |
|  | BullMQ jobs / retries / workflow backpressure        |  |
|  | encrypted in transit and token authenticated         |  |
|  +-------------------------+----------------------------+  |
|                            |                               |
|                                                            |
|  Private subnet: data                                      |
|  +----------------------+  async replication  +---------+ |
|  | Aurora PostgreSQL    +-------------------->| Aurora  | |
|  | primary writer       |                     | read    | |
|  | app state / audit    |                     | replica | |
|  +----------+-----------+                     +---------+ |
|             ^                                             |
|             | private database connections                |
|             +---------------- API + Worker ---------------+
|                                                            |
|  AWS services via PrivateLink                              |
|  Bedrock / AgentCore Browser / SES / S3                    |
|  Secrets Manager / SSM / CloudWatch Logs / Metrics         |
|                                                            |
|  Public subnet                                             |
|  +-- NAT Gateway (controlled outbound-only egress)         |
|                                                            |
|  Identity outside VPC                                      |
|  Cognito / Clerk -> Entra ID / Okta / SAML                 |
+------------------------------------------------------------+

Ryvn CI/CD
OIDC short-lived credentials -> deploys on every git push

CloudFront serves the Ramain web application from S3 and routes /api/* and /ws* traffic to the application load balancer. The load balancer forwards application traffic to the API service running on ECS Fargate.

The API and Worker both connect privately to Aurora PostgreSQL and Redis/Valkey. The API enqueues workflow jobs in Redis, and the Worker consumes those jobs for background execution. Aurora read replicas can be enabled for read-heavy reporting, audit views, and operational queries without adding load to the primary writer.

  • Components — every AWS service used in the deployment, with the role it plays and its configured spec.
  • Data flow — how a workflow run moves through the system end to end.
  • Security posture — encryption, network isolation, IAM, auditability.
  • Compliance — SOC 2, ISO 27001, HIPAA, GDPR.

Platform Features

A guided tour of the ramAIn client portal — how your team builds, compiles, edits, launches, and operates AI-driven browser workflows.

SaaS Architecture

Overview of the Ramain SaaS deployment for customers not requiring on-premises installation.

On this page

ScopeCapacityTopologyRead next