A live demonstration of how DigitalOcean App Platform can seamlessly integrate with AWS services while keeping your core infrastructure cost-effective on DigitalOcean.
Visit: https://poc-app-platform-aws.digitalocean.solutions
The dashboard shows real-time status of integrated services with automatic updates every 30 seconds.
When you visit the demo URL, you'll see a status dashboard with four services:
| Service | What It Shows | Why It Matters |
|---|---|---|
| PostgreSQL | Database connectivity, read/write operations | Core data storage on DigitalOcean managed databases |
| Valkey | Redis-compatible caching, real-time data | Fast caching layer for application performance |
| AWS IAM Roles Anywhere | Certificate-based authentication | Secure access to AWS without storing API keys |
| AWS Secrets Manager | Secret retrieval, encrypted storage | Secure credential management in AWS |
Each row displays:
- Service: The integrated component
- Status: Green = working, Red = issues
- Endpoint/FQDN: The actual connection details being used
- Last Updated: Timestamp showing real-time updates made by background worker every 60-seconds.
- Timestamp of the last time a record was updated in Postgres DB
- Timestamp of the last time a keys value was update in ValKey DB
- Timestamp of the last time IAM Role was assumed (this would be the case for any page load and not refreshed by worker)
- Timestamp of the last time a secret value was updated in AWS Secrets Manager
- No AWS API keys stored anywhere in the application
- Uses X.509 certificates through AWS IAM Roles Anywhere
- Demonstrates enterprise-grade security practices
- Core infrastructure (databases, app hosting) runs on DigitalOcean
- Selective use of AWS services where they add unique value
- CloudFront provides global CDN without moving your entire stack
- Background worker continuously tests all integrations
- Dashboard updates show live health of hybrid infrastructure
- Proves the integration works continuously, not just at deployment
The solution implements a hybrid cloud architecture that leverages the strengths of both platforms:
Data Flow:
- User → CloudFront (AWS) → Spaces (DO) for static assets
- User → CloudFront (AWS) → App Platform (DO) for API requests
- App Platform (DO) → PostgreSQL/Valkey (DO) for database operations
- App Platform (DO) → IAM Roles Anywhere (AWS) → Secrets Manager (AWS)
- Worker Service (DO) → Updates all services every 60 seconds
- DigitalOcean: Simple, predictable pricing for core infrastructure
- AWS: Specific services where they excel (CloudFront, IAM, Secrets Manager)
- Certificate-based authentication to AWS (no API keys to manage)
- Secrets stored securely in AWS Secrets Manager
- DDoS protection and rate limiting via AWS WAF
- Single deployment pipeline manages both platforms
- Terraform Infrastructure as Code for reproducibility
- Real-time monitoring of cross-cloud integrations
- Avoid expensive AWS RDS by using DigitalOcean managed databases
- Leverage AWS global CDN without hosting compute there
- Use AWS IAM for security without EC2 costs
One of the key benefits of this hybrid architecture is enterprise-grade security through AWS WAF. The demo includes live DDoS protection that you can test yourself.
The demo is protected by AWS WAF with a 100 requests per 5-minute rate limit. You can trigger this protection to see it in action:
# Clone this repository
git clone <repository-url>
cd poc-app-platform-aws
# Run the WAF test script
./test-waf.shWhat you'll see:
- ✅ First ~100 requests succeed (HTTP 200)
- 🚫 Additional requests get blocked (HTTP 403)
- 📊 Clear summary showing when blocking started
This demonstrates real protection against:
- DDoS attacks - Automatic blocking of excessive requests
- API abuse - Rate limiting prevents service overload
- Resource exhaustion - Protects your App Platform from being overwhelmed
- No additional infrastructure - WAF runs in AWS edge locations globally
- Automatic protection - No manual intervention needed during attacks
- Cost effective - Only pay for requests processed, not idle capacity
- Scales infinitely - AWS handles traffic spikes you never could on your own
- App Platform: Hosts your containerized applications
- PostgreSQL: Managed relational database with backups
- Valkey: Redis-compatible caching layer
- Spaces: S3-compatible object storage for static assets
- Container Registry: Private Docker image storage
- CloudFront + WAF: Global CDN with DDoS protection
- IAM Roles Anywhere: Certificate-based authentication
- Secrets Manager: Encrypted secret storage and rotation
- ACM: SSL certificate management
- Keep expensive compute on DigitalOcean (better pricing)
- Use AWS for specialized services (global CDN, advanced security)
- Secure integration via certificates (no credentials to leak)
- Single infrastructure pipeline (deploy both platforms together)
Want to deploy your own version?
- See the live demo first: https://poc-app-platform-aws.digitalocean.solutions
- Deploy your own: See DEPLOY.md for complete setup instructions
- Customize it: Modify the Terraform files to add your own services
- Review the dashboard to understand the integration points
- Check the API endpoints directly (listed in DEPLOY.md)
- Review the Terraform code to understand the architecture
- Start with the core DigitalOcean infrastructure
- Add AWS services incrementally based on your needs
- Use the certificate-based authentication pattern for security