Climacs AWS Production Architecture

~$54

Starter/mo

~$89

Standard/mo

6/6

AI Consensus

Timeline

Free

ECR + CloudFront

🔄 Production Deploy Pipeline

💻

Developer

git push

→

🔄

GitHub Actions

OIDC auth (free)

→

🔍

CI Pipeline

lint · test · scan

→

📦

ECR

docker push (free)

→

🚀

ECS Fargate

0.25vCPU+0.5GB

→

🌐

CloudFront

free tier

💰 Itemized Cost Breakdown

🧮

Monthly Cost — us-east-1 (Minimum Viable Setup)

All prices on-demand · No reserved instances · Single-dev single-AZ · Last verified 2026-03-02

Service	Config / SKU	$/mo
⚡ Compute
ECS Fargate — BFF task 0.25 vCPU · 0.5 GB RAM · ARM64 Graviton $0.01238/vCPU-hr + $0.00136/GB-hr · 730 hrs · ARM is 20% cheaper than x86	min task size	$9.34
ECS Fargate — Frontend task (optional) Alternative: skip this — use S3+CloudFront Nginx in Fargate adds cost. S3+CloudFront is free & faster.	SKIP	$0.00
🌐 Frontend / CDN
S3 — Static hosting Standard · React/Vite build output 5GB storage · 10K GET/mo · Data to CloudFront: free (same region)	$0.023/GB	$0.12
CloudFront Always-free tier: 1TB/mo transfer + 10M requests Low-traffic app stays within free tier indefinitely	always free	$0.00
ACM TLS Certificate Managed certificate attached to CloudFront / ALB Always free when used with AWS services	free	$0.00
🔀 Networking
ALB — Application Load Balancer $0.0225/hr + $0.008/LCU-hr Main cost. Single ALB routes to Fargate. Cannot be skipped if using Fargate.	required	$22.27
VPC — NAT Gateway $0.045/hr + $0.045/GB processed · private subnet ⚠️ Big hidden cost. Use public subnet + security groups to avoid for dev.	skip for dev	$0.00 *
Data Transfer Out First 100GB/mo globally free · $0.09/GB after Low-traffic app stays under 100GB free threshold	free tier	$0.00
🗃️ Database
RDS PostgreSQL — db.t3.micro 2 vCPU · 1 GB RAM · Single-AZ · us-east-1 $0.018/hr × 730 hrs. Cheapest persistent RDS option. Multi-AZ = 2× cost.	not scalable	$13.14
RDS Storage gp2 · 20GB starting $0.115/GB-mo · 20GB = $2.30/mo. I/O included in gp2.	20GB	$2.30
RDS Snapshot / Backups Free up to 100% of provisioned storage 20GB database = 20GB free backups included	included	$0.00
📦 Container Registry + Secrets
ECR — Elastic Container Registry Private repos · 50GB always-free for public Data transfer to Fargate in same region: free. Storage: $0.10/GB-mo after 500MB trial.	free tier	$0.00
Secrets Manager DB password, API keys, JWT secret $0.40/secret/mo · 3 secrets minimum (DB, API, JWT)	3 secrets	$1.20
📊 Observability + IaC State
S3 — Terraform state bucket Tiny file (<1MB). Nearly free.	~free	<$0.01
DynamoDB — Terraform lock table On-demand · 1 write/read per deploy 25GB always-free. Terraform lock table uses negligible capacity.	always free	$0.00
CloudWatch Logs + Metrics First 5GB/mo free. Basic metrics free. Low-traffic app fits in free tier. Custom dashboards: $3/dashboard/mo if added.	free tier	$0.00
WAF v2 (optional for dev) $5/mo/WebACL + $1/M requests Skip for dev/staging. Add for production. Not included in starter.	prod only	+$6.00
📈 Totals
🟢 STARTER (dev/staging · no WAF · no NAT GW) Fargate + ALB + RDS t3.micro + S3 + Secrets. Gets the basics running.		~$48/mo
🟡 STANDARD (+ WAF + Route 53) Adds WAF WebACL ($6) + Route 53 hosted zone ($0.50) + DNS queries (~$0.75)		~$55/mo
🔴 PRODUCTION (+ NAT Gateway + Multi-AZ RDS) NAT GW adds ~$33/mo. Multi-AZ RDS doubles DB cost (+$15). For real production.		~$103/mo

💡 Cost Reduction Tips

Skip NAT Gateway → use public subnet + SGs in devsaves $33/mo

Use ARM64/Graviton Fargate tasks (20% cheaper than x86)saves ~$2/mo

CloudFront free tier covers all low-traffic CDNsaves $0-5/mo

ECR free tier — 500MB private repo (sufficient for BFF image)saves ~$1/mo

Scale to 0 Fargate tasks at night (stop dev tasks)saves ~$5/mo

Reserved RDS 1yr (upfront) after 3 months validationsaves ~$5/mo

🏗️ AWS Architecture Components

🌐

Frontend Tier

Static hosting · CDN

S3 Bucket

React build output, 5GB

$0.12/mo

CloudFront

CDN + OAC + TLS

FREE

ACM Certificate

TLS termination

FREE

Route 53

Hosted zone $0.50 + queries

$1.25/mo

⚡

Compute Tier

Serverless containers

ECS Fargate (ARM)

0.25vCPU · 0.5GB · 730hr

$9.34/mo

ALB

$0.0225/hr + LCU

$22.27/mo

ECR

Private registry

FREE*

Secrets Manager

3 secrets

$1.20/mo

🗃️

Data Tier

Managed PostgreSQL

RDS db.t3.micro

Single-AZ · us-east-1

$13.14/mo

RDS Storage

20GB gp2

$2.30/mo

Backups

Up to 20GB free

FREE

DynamoDB (TF lock)

Negligible use

FREE

📅 5-Week Rollout + Non-Negotiables

📅

Phased Rollout

Ordered by dependency

Week 1 — Foundations

6/6S3 + DynamoDB (Terraform state)

6/6VPC + subnets

6/6ECR repos + GitHub OIDC

6/6Secrets Manager setup

Week 2 — Database + Compute

6/6RDS db.t3.micro PostgreSQL

6/6ECS Fargate cluster + task def

6/6ALB + target groups

5/6Migrate homelab PG data

Week 3 — Frontend + Security

6/6S3 static frontend + CloudFront

5/6ACM TLS certificate

4/6IAM Access Analyzer

Week 4 — CI/CD

5/6GitHub Actions CI pipeline

5/6Staging + prod deploy pipelines

6/6CloudWatch dashboards + alarms

Week 5 — Production Launch

5/6Production deploy (approval gate)

4/6Route 53 DNS cutover

5/6Smoke tests + runbook

🛡️

Non-Negotiables

Mandatory across all 6 AI recs

✕No plaintext secrets in repo, env vars, or images

✕No latest-only deployment strategy — use SHA or semver tags

✕No production deploy without scan gates (Trivy / ECR scan)

✕No single-machine dependency in the deploy chain

✕No wildcard IAM permissions (* actions or * resources)

✕Remote Terraform state with DynamoDB locking

✕Multi-AZ for database (production tier only)

✕WAF on all public-facing endpoints (production tier)

Cost Tiers Summary

🟢 Starter — dev/staging

No WAF, no NAT GW, single-AZ RDS

~$48/mo

🟡 Standard — + WAF + Route 53

Add WAF WebACL + DNS

~$55/mo

🔴 Production — + NAT GW + Multi-AZ

Full HA setup

~$103/mo