End-to-End Request Flow
This table documents the complete request path from an internet client to LogScale pod, including all security boundaries and routing layers:
| Step | Component | Protocol/Port | Security Control | Description |
|---|---|---|---|---|
| 1 | DNS Query | UDP 53 | Route53 | Client queries for global FQDN; Route53 failover policy returns health ALB (via health checks) |
| 2 | DNS Response | UDP 53 | Failover Policy | Route53 returns CNAME to active cluster ALB (primary or secondary) |
| 3 | HTTPS Request | TCP 443 | Security Group | Client connects to ALB public IP; Security Group allows 443 from 0.0.0.0/0 |
| 4 | ALB → Target Group | TCP 30443 | Security Group | ALB forwards request to nginx-ingress controller NodePort (internal; restricted by SG) |
| 5 | Ingress Routing | HTTP 8080 | Ingress Rules | nginx-ingress terminates TLS using cert-manager certificate; routes by Host header to LogScale service |
| 6 | Service → Pod | TCP 8080 | NetworkPolicy | kube-proxy load-balances to LogScale pods within logging namespace |
| 7 | Pod → Storage | HTTPS 443 | IAM/IRSA | LogScale pod reads/writes S3 segments using IRSA role; encrypted with KMS key |
| 8 | Response Path | TCP 443 | Stateful | Response follows reverse path through ALB back to client |
Key security controls per layer:
Layer 1-2: Route53 health checks and failover policies
Layer 3-4: ALB Security Groups restrict external access
Layer 5: Ingress controller TLS termination and routing rules
Layer 6: Kubernetes NetworkPolicy and service discovery
Layer 7-8: IAM roles (IRSA) and KMS encryption for S3 access