> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gp.scale.com/llms.txt
> Use this file to discover all available pages before exploring further.
# AWS Architecture Reference
> Overview of the SGP AWS architecture
## Architecture Reference
## Cloud Services
| Service | Usage |
| ------------------------------------ | ------------------------------------------------------------------------ |
| Elastic Kubernetes Service (EKS) | SGP applications are deployed to this cluster |
| Identity and Access Management (IAM) | Role and policy management for SGP applications access to cloud services |
| Secrets Manager | Secret and configuration management for SGP applications |
| Key Management Service (KMS) | Encryption of sensitive data at rest |
| Simple Storage Service (S3) | Object storage for SGP applications (knowledge bases, models, etc.) |
| Simple Queue Service (SQS) | Karpenter spot instance interruption queue |
| OpenSearch | Search provider for SGP applications |
| Elastic Container Registry (ECR) | Container registry for custom agent images |
| Aurora PostgreSQL | Relational databases for SGP applications |
| DocumentDB | Document-oriented database for SGP applications |
| ElastiCache for Redis | In-memory caching for SGP applications |
| CloudWatch | Logging for cloud services |
## Networking
SGP is deployed into a VPC spanning three Availability Zones with separate public and private subnets. All application workloads run in private subnets. Outbound internet access is provided by a NAT Gateway.
### Ingress
| Property | Default |
| -------------------- | ----------------------------------------------------------- |
| Load balancer type | Application Load Balancer (ALB) |
| Listener port | 443 (TLS) |
| Placement | External (internet-facing) |
| WAFv2 | Optional — associate an existing Web ACL by name |
| VPC Endpoint Service | Optional — enables AWS PrivateLink for private connectivity |
The load balancer can be configured as internal (private subnet only) for deployments that require no direct internet exposure.
### Service Mesh
Istio is deployed as a cluster add-on and manages all east-west traffic between SGP services. An internal Istio ingress gateway handles traffic routing within the cluster.
## EKS Cluster Default Configuration
### Node Groups
| Node Group | Size | Limits | Machine Type | Machine Image | Taints |
| ------------ | ---------------------------- | -------- | ------------- | --------------------------------- | ---------------------------------- |
| System | 1 | — | m6a.2xlarge | EKS Default AMI | CriticalAddonsOnly=true:NoSchedule |
| Default | Karpenter Managed Node Group | 1000 CPU | c\*, m\* | Karpenter Bottlerocket AMI Family | |
| High Storage | Karpenter Managed Node Group | 100 CPU | c\*, m\*, r\* | Karpenter Bottlerocket AMI Family | |
| GPU | Karpenter Managed Node Group | 385 CPU | g5.\* | Karpenter Bottlerocket AMI Family | nvidia.com/gpu:NoSchedule |
| GPU (Large) | Karpenter Managed Node Group | 100 CPU | p4d.\* | Karpenter Bottlerocket AMI Family | nvidia.com/gpu:NoSchedule |
### Cluster Add-ons
| Add-on | Purpose |
| ---------------------------- | ------------------------------------------------------------------ |
| Karpenter | Workload-driven node autoscaling for Karpenter-managed node groups |
| Cluster Autoscaler | Scaling for the system node group |
| Istio | Service mesh for east-west traffic management |
| cert-manager | TLS certificate provisioning and renewal |
| AWS Load Balancer Controller | Kubernetes-native ALB and NLB provisioning |
| external-dns | Automatic Route 53 DNS record management |
| AWS Node Termination Handler | Graceful pod drain on spot interruption or node termination |
| NVIDIA GPU Operator | GPU driver and device plugin lifecycle management |
| AWS EBS CSI Driver | Persistent volume support for EKS workloads |
## Aurora PostgreSQL Default Configuration
| Instance | Service | Instance Count | Engine | Instance Class |
| ----------------------------------------------------- | --------------------------------- | -------------- | ------------ | -------------- |
| agents-service-\ | Agents | 2 | PostgreSQL16 | db.r6g.xlarge |
| duc-\-duc-api-aurora-db | Document Understanding Capability | 3 | PostgreSQL15 | db.r6g.large |
| reducto-\-aurora-db | Reducto | 3 | PostgreSQL15 | db.r6g.large |
| sae-\-sae-postgres | Semantic Analysis Engine | 1 | PostgreSQL17 | db.r6g.large |
| scale-egp-\-agentex-aurora-db | Agentex | 3 | PostgreSQL15 | db.r6g.large |
| scale-egp-\-egp-api-aurora-db | EGP API | 3 | PostgreSQL15 | db.r6g.large |
| scale-egp-\-identity-service-aurora-db | Identity Service | 3 | PostgreSQL15 | db.r6g.large |
| scale-egp-\-llm-engine-aurora-db | LLM Engine | 2 | PostgreSQL14 | db.r6g.large |
| scale-egp-\-spicedb-postgres | SpiceDB | 3 | PostgreSQL16 | db.r6g.large |
| scale-egp-\-temporal-aurora-db | Temporal | 3 | PostgreSQL15 | db.r6g.large |
| scale-egp-\-train-aurora-db | SGP Train | 3 | PostgreSQL15 | db.t3.medium |
## DocumentDB Default Configuration
| Instance | Service | Instance Count | Instance Class |
| ---------------------------------------- | ------- | -------------- | -------------- |
| scale-egp-\-compass-docdb | Compass | 1 | db.t3.medium |
| \-agentex-mongo | Agentex | 1 | db.r5.large |
## Customer Sensitive Data
Sensitive data may be stored in the following services, all data is encrypted at rest and in transit:
* Aurora PostgreSQL: For storing metadata, persistent data, and service-specific databases (SGP API Backend, Identity Service, LLM Engine, SpiceDB, Agents Service, SGP Train, and Temporal)
* DocumentDB: For storing Agentex agent data/workflows and Workflows document processing state
* S3 Buckets: For storing large data objects and datasets
* OpenSearch: For managing text embeddings and vector search capabilities