Architecture Reference
Cloud Services
| Service | Usage |
|---|
| Elastic Kubernetes Service (EKS) | SGP applications are deployed to this cluster |
| Identity and Access Management (IAM) | Role and policy management for SGP applications access to cloud services |
| Secrets Manager | Secret and configuration management for SGP applications |
| Key Management Service (KMS) | Encryption of sensitive data at rest |
| Simple Storage Service (S3) | Object storage for SGP applications (knowledge bases, models, etc.) |
| Simple Queue Service (SQS) | Karpenter spot instance interruption queue |
| OpenSearch | Search provider for SGP applications |
| Elastic Container Registry (ECR) | Container registry for custom agent images |
| Aurora PostgreSQL | Relational databases for SGP applications |
| DocumentDB | Document-oriented database for SGP applications |
| ElastiCache for Redis | In-memory caching for SGP applications |
| CloudWatch | Logging for cloud services |
Networking
SGP is deployed into a VPC spanning three Availability Zones with separate public and private subnets. All application workloads run in private subnets. Outbound internet access is provided by a NAT Gateway.
Ingress
| Property | Default |
|---|
| Load balancer type | Application Load Balancer (ALB) |
| Listener port | 443 (TLS) |
| Placement | External (internet-facing) |
| WAFv2 | Optional — associate an existing Web ACL by name |
| VPC Endpoint Service | Optional — enables AWS PrivateLink for private connectivity |
The load balancer can be configured as internal (private subnet only) for deployments that require no direct internet exposure.
Service Mesh
Istio is deployed as a cluster add-on and manages all east-west traffic between SGP services. An internal Istio ingress gateway handles traffic routing within the cluster.
EKS Cluster Default Configuration
Node Groups
| Node Group | Size | Limits | Machine Type | Machine Image | Taints |
|---|
| System | 1 | — | m6a.2xlarge | EKS Default AMI | CriticalAddonsOnly=true:NoSchedule |
| Default | Karpenter Managed Node Group | 1000 CPU | c*, m* | Karpenter Bottlerocket AMI Family | |
| High Storage | Karpenter Managed Node Group | 100 CPU | c*, m*, r* | Karpenter Bottlerocket AMI Family | |
| GPU | Karpenter Managed Node Group | 385 CPU | g5.* | Karpenter Bottlerocket AMI Family | nvidia.com/gpu:NoSchedule |
| GPU (Large) | Karpenter Managed Node Group | 100 CPU | p4d.* | Karpenter Bottlerocket AMI Family | nvidia.com/gpu:NoSchedule |
Cluster Add-ons
| Add-on | Purpose |
|---|
| Karpenter | Workload-driven node autoscaling for Karpenter-managed node groups |
| Cluster Autoscaler | Scaling for the system node group |
| Istio | Service mesh for east-west traffic management |
| cert-manager | TLS certificate provisioning and renewal |
| AWS Load Balancer Controller | Kubernetes-native ALB and NLB provisioning |
| external-dns | Automatic Route 53 DNS record management |
| AWS Node Termination Handler | Graceful pod drain on spot interruption or node termination |
| NVIDIA GPU Operator | GPU driver and device plugin lifecycle management |
| AWS EBS CSI Driver | Persistent volume support for EKS workloads |
Aurora PostgreSQL Default Configuration
| Instance | Service | Instance Count | Engine | Instance Class |
|---|
| agents-service-<workspace_id> | Agents | 2 | PostgreSQL16 | db.r6g.xlarge |
| duc-<workspace_id>-duc-api-aurora-db | Document Understanding Capability | 3 | PostgreSQL15 | db.r6g.large |
| reducto-<workspace_id>-aurora-db | Reducto | 3 | PostgreSQL15 | db.r6g.large |
| sae-<workspace_id>-sae-postgres | Semantic Analysis Engine | 1 | PostgreSQL17 | db.r6g.large |
| scale-egp-<workspace_id>-agentex-aurora-db | Agentex | 3 | PostgreSQL15 | db.r6g.large |
| scale-egp-<workspace_id>-egp-api-aurora-db | EGP API | 3 | PostgreSQL15 | db.r6g.large |
| scale-egp-<workspace_id>-identity-service-aurora-db | Identity Service | 3 | PostgreSQL15 | db.r6g.large |
| scale-egp-<workspace_id>-llm-engine-aurora-db | LLM Engine | 2 | PostgreSQL14 | db.r6g.large |
| scale-egp-<workspace_id>-spicedb-postgres | SpiceDB | 3 | PostgreSQL16 | db.r6g.large |
| scale-egp-<workspace_id>-temporal-aurora-db | Temporal | 3 | PostgreSQL15 | db.r6g.large |
| scale-egp-<workspace_id>-train-aurora-db | SGP Train | 3 | PostgreSQL15 | db.t3.medium |
DocumentDB Default Configuration
| Instance | Service | Instance Count | Instance Class |
|---|
| scale-egp-<workspace_id>-compass-docdb | Compass | 1 | db.t3.medium |
| <workspace_id>-agentex-mongo | Agentex | 1 | db.r5.large |
Customer Sensitive Data
Sensitive data may be stored in the following services, all data is encrypted at rest and in transit:
- Aurora PostgreSQL: For storing metadata, persistent data, and service-specific databases (SGP API Backend, Identity Service, LLM Engine, SpiceDB, Agents Service, SGP Train, and Temporal)
- DocumentDB: For storing Agentex agent data/workflows and Compass document processing state
- S3 Buckets: For storing large data objects and datasets
- OpenSearch: For managing text embeddings and vector search capabilities
