[AWS] Story 4: Networking (ALB + ACM)

## Summary

Implement the networking layer: Application Load Balancer with TLS termination, path-based routing, and optional DNS configuration.

**Epic**: #174  
**Architecture**: [`docs/architecture/planned/aws-ecs-cdk.md`](https://github.com/sofatutor/llm-proxy/blob/main/docs/architecture/planned/aws-ecs-cdk.md)

---

## Tasks

### Application Load Balancer
- [ ] Create internet-facing ALB in public subnets
- [ ] Configure ALB security group (443 from internet)
- [ ] Enable access logging to S3 (optional)
- [ ] Configure idle timeout (60s default)

### TLS / ACM
- [ ] Support importing existing ACM certificate via ARN
- [ ] OR create new certificate with DNS validation
- [ ] Configure HTTPS listener (443)
- [ ] Redirect HTTP (80) to HTTPS

### Target Groups & Routing
- [ ] Create target group for Proxy API (port 8080)
- [ ] Create target group for Admin UI (port 8081)
- [ ] Configure path-based routing:
  - `/v1/*` → Proxy API
  - `/manage/*` → Proxy API
  - `/health`, `/ready`, `/live` → Proxy API
  - `/admin/*` → Admin UI
- [ ] Configure health check paths

### DNS (Optional)
- [ ] Support Route 53 hosted zone lookup
- [ ] Create A record alias to ALB
- [ ] Support custom domain via props

### Security
- [ ] Review and tighten security groups
- [ ] ECS tasks only accessible from ALB
- [ ] Database/Redis only accessible from ECS
- [ ] Document security group rules

---

## Configuration Props

```typescript
domainName?: string;              // e.g., 'llm-proxy.example.com'
existingCertificateArn?: string;  // Import existing ACM cert
hostedZoneId?: string;            // Route 53 hosted zone
enableAccessLogs?: boolean;       // default: false
```

---

## Path Routing Rules

| Path Pattern | Target | Port |
|--------------|--------|------|
| `/v1/*` | Proxy | 8080 |
| `/manage/*` | Proxy | 8080 |
| `/health` | Proxy | 8080 |
| `/ready` | Proxy | 8080 |
| `/live` | Proxy | 8080 |
| `/admin/*` | Admin | 8081 |

---

## Acceptance Criteria

- [ ] ALB accessible via HTTPS
- [ ] TLS termination with valid certificate
- [ ] Path-based routing works correctly
- [ ] Health checks pass through ALB
- [ ] HTTP redirects to HTTPS
- [ ] Security groups properly restrict access

---

## Dependencies

- Story 1: CDK Foundation (VPC)
- Story 3: Compute Layer (ECS services to route to)

---

## Estimated Effort

**Medium** - 2-3 days

---

## Notes

- ALB base cost ~$18/month + $0.008/LCU-hour
- Consider WAF integration for production (future enhancement)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[AWS] Story 4: Networking (ALB + ACM) #179

Summary

Tasks

Application Load Balancer

TLS / ACM

Target Groups & Routing

DNS (Optional)

Security

Configuration Props

Path Routing Rules

Acceptance Criteria

Dependencies

Estimated Effort

Notes

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Path Pattern	Target	Port
`/v1/*`	Proxy	8080
`/manage/*`	Proxy	8080
`/health`	Proxy	8080
`/ready`	Proxy	8080
`/live`	Proxy	8080
`/admin/*`	Admin	8081

[AWS] Story 4: Networking (ALB + ACM) #179

Description

Summary

Tasks

Application Load Balancer

TLS / ACM

Target Groups & Routing

DNS (Optional)

Security

Configuration Props

Path Routing Rules

Acceptance Criteria

Dependencies

Estimated Effort

Notes

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions