SHEET FIG.5 — /en/work/web-app-from-scratch
CASE STUDY § 01-5
Consumer web app designed from scratch
Tech Lead
ROLE
consumer web app
TARGET
architecture · SSO · CI/CD
SCOPE
Challenge
For a new consumer web app, the initial architecture decides its later scalability, availability, and security. Rebuilding the foundation afterward is expensive.
In this engagement, the app’s runtime, delivery, authentication, and deployment path all had to be designed from a state with no foundation in place.
Design decisions
- On AWS, ran the application on ECS, public access through API Gateway, delivery through CloudFront, and perimeter defense with WAF, splitting the structure into layers by role
- Separated the network with a VPC and designed the public surface explicitly
- Adopted SSO via OpenID Connect for authentication
- Standardized the deployment path with CI/CD
Hover, focus, or tap a node to see the design rationale for each element.
- CloudFront + WAF — delivery and perimeter defense. CloudFront serves the public edge, WAF handles defense.
- API Gateway — the entry point for public access. Connects to the app inside the VPC.
- ECS — application runtime. Placed inside the VPC.
- OIDC SSO — authentication via OpenID Connect.
Approach
- Designed runtime, delivery, authentication, and deployment as independent layers, and pulled the whole structure together as tech lead