
Executive Summary
Nextnet is a Silicon Valley-based AI Enterprise software company serving the Life sciences and healthcare industry as its first target market. The company has successfully built and deployed a comprehensive AI-powered SaaS platform leveraging AWS managed services and Infrastructure as Code (IaC). This case study demonstrates how AWS CDK and a well-informed choice of AWS services enabled rapid development, consistent deployments across multiple environments, and seamless integration of cutting-edge AI capabilities, while maintaining enterprise-grade security and scalability that can withstand any level of technical tier-1 VC due diligence.
Key Results:
- Serverless architecture with a significantly reduced infrastructure management overhead.
- Multi-environment deployment (development, staging, production) with consistent configurations and resources isolation/sharing.
- AI-powered features using AWS Bedrock with Retrieval-Augmented Generation (RAG) capabilities.
- Cross-account security model with automated DNS delegation for automated domain and subdomain management.
- Complete infrastructure reproducibility by simply pressing the "Deploy" button.
- Modern and secure passwordless authentication flow, powered by AWS Cognito and AWS Amplify Gen 2 at its core.
Project Overview
Business Challenge
Nextnet aims to:
- Become the world's most trusted AI knowledge platform for all aspects of human health and well-being.
- Provide AI-powered chat and search capabilities, along with a fully interactive, graph-based link analysis grounded in actual scientific evidence.
- Instant results despite petabytes of ingested structured, semi-structured and unstructured multimodal data.
- Provide scientists not only with a conversation interface but also an immersive exploration tool in the form of a densely interconnected knowledge graph, as well as the ability to switch between them seamlessly.
- Handle user authentication, authorisation and a complex matrix of feature-access logic.
- Accommodate variable traffic and usage patterns.
- Maintain segregated identical environments for rapid iteration, scientific validation by a board of selected industry key opinion leaders, and a guarantee of resilient, fault-tolerant production workloads.
- Ensure enterprise-grade security and compliance in preparation for upcoming US and European compliance scrutiny.
Solution Architecture
The solution leverages AWS managed services stacks, orchestrated entirely through AWS CDK, eliminating the need for manual infrastructure provisioning and ensuring consistent, repeatable deployments that are also validated against AWS's Well-Architected principles at build time.
Technical Architecture
Note: The showcased snippets are anonymised excerpts of the IaC deliverable. Front-end code was omitted.
Core Infrastructure Components
1. Frontend & Hosting
// AWS Amplify Gen 2 for serverless, distributed web hosting and more.
const app = new App(this, 'App', {
appName: 'Core Application',
sourceCodeProvider: new CodeCommitSourceCodeProvider({ repository }),
customRules: [CustomRule.SINGLE_PAGE_APPLICATION_REDIRECT],
…
});
AWS Services Used:
- AWS Amplify Gen 2: Serverless web hosting with CI/CD and supercharged DX (Developer Experience)
- Amazon Route53: DNS management with cross-account delegation
- AWS Certificate Manager: SSL/TLS certificate automation
- Amazon CloudFront: Global content delivery network
- AWS CodeCommit: Git-based code version control.
2. Authentication & API
// AWS Cognito for user management, authentication and authorisation
const userPool = new UserPool(this, 'UserPool', {
customDomain: { domainName: `auth.${domain}` }
…
});
// AWS AppSync for a serverless GraphQL API
const api = new GraphqlApi(this, 'Api', {
authorizationConfig: {
defaultAuthorization: { authorizationType: AuthorizationType.USER_POOL }
}
…
});
AWS Services Used:
- AWS Cognito: User authentication and authorization
- AWS AppSync: Managed GraphQL API with real-time subscriptions
- AWS DynamoDB: NoSQL database with automatic scaling
- AWS OpenSearch: Reverse-index full-text search engine.
- AWS Amplify Gen 2: The 'auth' and 'data' parts of the framework.
3. AI/ML Integration
// AWS Bedrock Knowledge Base for RAG
const knowledgeBase = new KnowledgeBaseVector(this, "KnowledgeBase", {
id: env.KNOWLEDGE_BASE_ID,
executionRoleArn: env.KNOWLEDGE_BASE_EXECUTION_ROLE_ARN,
});
// AWS Lambda functions with AWS Bedrock integration
backend.chat.resources.lambda.addToRolePolicy(
new PolicyStatement({
actions: ["bedrock:InvokeModelWithResponseStream"],
resources: [`arn:aws:bedrock:*::foundation-model/${modelId}`],
})
);
AWS Services Used:
- Amazon Bedrock: Foundation models (Claude 3.5 Haiku, Claude 3.7 Sonnet, Claude 4 Sonnet, Amazon Titan v2)
- AWS S3: For a multimodal document storage
- Amazon Bedrock Knowledge Base: RAG
- AWS RDS: pgVector-powered vector database
- AWS Amplify Gen 2: The AI Kit for agentic conversational and generational logic
4. Storage & Data Management
// AWS S3 buckets for different data types
const storage = defineStorage({
name: "storage",
access: (allow) => ({
"profile-pictures/*": [allow.authenticated.to(["read", "write"])],
"knowledge-base-sources/*": [allow.authenticated.to(["read"])],
}),
});
AWS Services Used:
- Amazon S3: Object storage for files, knowledge base sources, and backups
- Amazon DynamoDB: Primary database with point-in-time recovery
- Amplify Gen 2: For authentication-integrated CDN cloud storage of static assets
Multi-Environment Architecture
Cross-Account Strategy
The solution implements a sophisticated multi-account strategy:
// Production Account
const crossAccountDelegationRole = new Role(this, "CrossAccountRole", {
assumedBy: new AccountPrincipal("111111111111"),
roleName: "CrossAccountDelegationRoleCoreApplicationProduction",
});
// Development Account
const devDelegationRole = new Role(this, "DevDelegationRole", {
assumedBy: new AccountPrincipal("222222222222"),
roleName: "CrossAccountDelegationRoleCoreApplicationDevelopment",
});
Environment Separation:
- Production Account: Full production workload with main branch deployment
- Development Account: Development environment with basic authentication
- Staging (Preview) Account: For thorough validation by the selected board of industry professionals and advisors
- Root Account: Centralised domain management and cross-account IAM roles
Key Benefits of AWS CDK Implementation
1. Infrastructure as Code Advantages
Reproducibility: Every infrastructure component is defined in code, ensuring identical deployments across environments.
// Environment-specific configurations
if (process.env.ENV === 'prd') {
const main = app.addBranch('main', {
…
});
} else {
const develop = app.addBranch('develop', {
basicAuth: BasicAuth.fromCredentials('SOME_USERNAME',
SecretValue.unsafePlainText(process.env.SOME_PASSWORD)),
…
});
}
Version Control: All infrastructure changes are tracked, reviewed, and approved through standard development workflows.
Consistency: CDK ensures consistent resource naming, tagging, and configuration across all environments.
Minimalism: The entire deliverable is contained within a single code repository.
2. AWS Managed Services Benefits
Zero Infrastructure Management: By leveraging fully managed services, the team eliminated:
- Server provisioning and maintenance
- Database administration
- Security patching
- Capacity planning
- Backup management
Most importantly, it could deliver industry-standard functionality on a very tight budget, fast.
Automatic Scaling: Services like DynamoDB, Lambda, and Amplify automatically scale in response to demand, eliminating the need for manual intervention.
Built-in Security: Thanks to the AWS shared responsibility model, managed services provide enterprise-grade security features out of the box:
- Encryption at rest and in transit
- IAM integration
- VPC isolation where needed
- Compliance for certifications
3. Cost Optimisation
Pay-per-Use Model: Serverless architecture ensures costs scale directly with usage.
// DynamoDB with on-demand billing
const table = new Table(this, "Table", {
billingMode: BillingMode.PAY_PER_REQUEST,
pointInTimeRecovery: true,
});
No Idle Resources: Lambda functions and other serverless services only incur costs when actively processing requests.
At times, it takes some solution architecture creativity to squeeze every cent out of the monthly AWS bill. But if you're in a good engineering company, you can operate on a very low burn rate. For example, let developers create and destroy a database upon request by sending a Slack message. Automatically destroy the database when it is not in use for 1 hour.
Advanced Features Implementation
AI-Powered Capabilities
Retrieval-Augmented Generation (RAG)
// Knowledge base integration for contextual AI responses
backend.retrieveAndGenerateResponse.resources.lambda.addToRolePolicy(
new PolicyStatement({
actions: ["bedrock:Retrieve", "bedrock:RetrieveAndGenerate"],
resources: [`arn:aws:bedrock:*:*:knowledge-base/${knowledgeBaseId}`],
})
);
Multi-Model AI Strategy
- Claude 3.5 Haiku: Keyword generation and lightweight tasks
- Claude 3.7 Sonnet: Complex RAG responses and document analysis
- Claude 4 Sonnet: Advanced chat functionality and reasoning
Security Implementation
Cross-Account Access Control
const crossAccountPolicy = new PolicyDocument({
statements: [
new PolicyStatement({
actions: ["route53:ChangeResourceRecordSets"],
resources: [hostedZone.hostedZoneArn],
conditions: {
"ForAllValues:StringEquals": {
"route53:ChangeResourceRecordSetsActions": ["UPSERT", "DELETE"],
},
},
}),
],
});
Secrets Management
new secretsManager.Secret(this, "SecretKey", {
secretName: "secret-key",
secretStringValue: SecretValue.unsafePlainText(props.secretKey),
});
Payment Integration
// Stripe event processing with EventBridge
new Payments(backend.createStack('payments'), 'payments', {
destinationId: env.STRIPE_EVENTBRIDGE_DESTINATION_ID,
graphqlApi: backend.data.resources.graphqlApi,
…
});
Deployment Strategy
Environment-Specific Deployments
The CDK configuration automatically adapts based on environment variables:
// Production configuration
if (env.ENV === "prd") {
this.hostedZone = new PublicHostedZone(this, "HostedZone", {
zoneName: "domainname.com",
caaAmazon: true,
});
} else {
// Development configuration
this.hostedZone = new PublicHostedZone(this, "HostedZone", {
zoneName: `${env.ENV}.domainname.com`,
});
}
CI/CD Integration
AWS Amplify provides built-in CI/CD with:
- Automatic builds on code commits
- Environment-specific deployments
- Rollback capabilities
- Build artefact management
Performance & Monitoring
Observability Stack
// AWS X-Ray tracing for distributed systems
backend.data.resources.cfnResources.cfnGraphqlApi.xrayEnabled = true;
// AWS CloudWatch logging
const graphQlApiLogsRole = new Role(backend.data, 'GraphQlApiLogsRole', {
assumedBy: new ServicePrincipal('appsync.amazonaws.com'),
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSAppSyncPushToCloudWatchLogs')
],
…
});
Data Protection
// Point-in-time recovery for all AWS DynamoDB tables
Object.values(
backend.data.resources.cfnResources.amplifyDynamoDbTables
).forEach((tableConfig) => {
tableConfig.pointInTimeRecoveryEnabled = true;
});
Results & Business Impact
Technical Achievements
- 100% Serverless: Zero server management overhead.
- Multi-Region Ready: Architecture supports global expansion.
- Auto-Scaling: Handles traffic spikes without manual intervention.
- Cost-Effective: Pay-per-use model optimises operational costs.
Development Velocity
- Rapid Prototyping: New features deployed in minutes, not hours.
- Consistent Environments: Development environments mirror the production environment.
- Automated Testing: Infrastructure changes were tested before deployment.
- Team Collaboration: Infrastructure changes reviewed, like application code.
Operational Excellence
- High Availability: Built-in redundancy across AWS availability zones (AZ).
- Disaster Recovery: Automated backups and point-in-time recovery.
- Security Compliance: Enterprise-grade security without additional overhead.
- Monitoring: Comprehensive observability with minimal configuration.
Lessons Learned & Best Practices
CDK Best Practices Implemented
- Environment Parameterisation: Use environment variables for configuration differences.
- Resource Tagging: Implement a consistent tagging strategy for accurate cost allocation and management.
- Security by Default: Principle of least privilege in all IAM policies.
- Modular Design: Reusable constructs for common patterns.
AWS Managed Services Strategy
- Prefer Managed Over Self-Managed: Choose managed services to reduce operational overhead
- Leverage Service Integration: Use native AWS service integrations for better performance
- Plan for Scale: Design with auto-scaling capabilities from day one
- Monitor Everything: Implement comprehensive monitoring and alerting
Conclusion
This case study demonstrates how AWS CDK and managed AWS services enable organisations to build sophisticated, AI-powered applications without the traditional infrastructure complexity. By treating infrastructure as code and opting for the right cloud tools, Nextnet achieved:
- Faster Time-to-Market: Reduced infrastructure setup from months/weeks to days/hours.
- Lower Operational Costs: Eliminated infrastructure management overhead.
- Enhanced Reliability: Leveraged AWS's proven managed services.
- Improved Security: Built-in enterprise-grade security features.
- Scalable Architecture: Ready for global expansion and traffic growth.
The combination of AWS CDK for infrastructure definition and AWS managed services for runtime capabilities provides a robust foundation for modern application development. Organisations looking to build on AWS should strongly consider this approach for its balance of flexibility, reliability, and operational simplicity.
Want to Build it, too?
A few suggestions:
- Start with CDK: Begin infrastructure projects with AWS CDK from day one
- Embrace Managed Services: Prefer AWS managed services over self-managed alternatives
- Implement Multi-Environment Strategy: Plan for development, staging, and production from the beginning
- Invest in Monitoring: Implement comprehensive observability early in the project
- Plan for AI Integration: Consider AI/ML capabilities as first-class citizens in your architecture
This architecture pattern provides a blueprint for building modern, scalable, and maintainable applications on AWS while minimising operational complexity and maximising development velocity.
This case study represents a real-world implementation of AWS best practices, demonstrating the power of Infrastructure as Code combined with managed services for building production-ready applications.
#case-study