Change Management

# AWS Infrastructure Context Document

**Owner Account ID:** 256086846830

**Region:** us-east-1 (US East - N. Virginia)

**Last Updated:** March 31, 2026

---

## VPCs

### Catalyst Secure VPC (Primary / Private VPC)

- **VPC ID:** vpc-07f5fb32f92605bb9

- **IPv4 CIDR:** 10.20.0.0/16

- **Default VPC:** No

- **DNS Resolution:** Enabled

- **DNS Hostnames:** Enabled

This is the target VPC for all infrastructure. It contains both public and private subnets. Servers are being migrated here from the Public Default VPC in phases.

**Subnets:**

- Public subnet(s) in us-east-1a and us-east-1b — used for internet-facing services (WireGuard VPN, future reverse proxy)

- Private subnet(s) in us-east-1a and us-east-1b — used for all application servers, databases, and internal services

**Networking:**

- Internet Gateway attached for public subnet internet access

- NAT Gateway in the public subnet — provides outbound internet to private subnet servers (for updates, package installs, SMTP, etc.)

- Route tables configured per subnet: public routes 0.0.0.0/0 through the Internet Gateway; private routes 0.0.0.0/0 through the NAT Gateway

### Public Default VPC (Legacy — Being Migrated Away From)

- **VPC ID:** vpc-ac30f0cb

- **IPv4 CIDR:** 172.31.0.0/16

- **Default VPC:** Yes

- **Subnets:** 6 subnets across us-east-1a through us-east-1f

- **Route Table:** rtb-ad5e1eca

- **Internet Gateway:** igw-50acd934

This is the original default VPC where most servers currently run. All servers will eventually be migrated to the Catalyst Secure VPC, after which this VPC and the peering connection can be removed.

### Deleted VPC

- **Catalyst Secure-vpc** (vpc-04cb87f2911b78dd1, CIDR 10.0.0.0/16) — an earlier attempt at a private VPC. Fully deleted including all subnets, route tables, endpoints, internet gateway, and security groups.

---

## VPC Peering

- **Connection:** Public Default (vpc-ac30f0cb) ↔ Catalyst Secure VPC (vpc-07f5fb32f92605bb9)

- **Name:** Default-to-Catalyst-Peering

- **Status:** Active

**Route table entries:**

- Public Default route table (rtb-ad5e1eca): Destination 10.20.0.0/16 → Target: peering connection

- Catalyst Secure VPC private route table(s): Destination 172.31.0.0/16 → Target: peering connection

This peering connection allows servers in both VPCs to communicate with each other during the migration period. It will be removed once all servers have been moved to the Catalyst Secure VPC.

---

## DNS — Route 53

- **Private Hosted Zone:** catalyst.internal (Zone ID: Z0333326ZTOIKXJA848C)

- **Record Count:** 7

- **Associated VPCs:** Both Catalyst Secure VPC (vpc-07f5fb32f92605bb9) and Public Default (vpc-ac30f0cb)

**Known records:**

- wazuh.catalyst.internal → 10.20.137.102 (Wazuh server in private subnet)

Both VPCs can resolve catalyst.internal hostnames. This allows agents in the Public Default VPC to reach services in the Catalyst Secure VPC by hostname rather than IP address, which makes future IP changes transparent.

---

## Servers — Catalyst Secure VPC (Private Subnet)

### Wazuh Server

- **Private IP:** 10.20.137.102

- **DNS:** wazuh.catalyst.internal

- **Instance Type:** t3.medium (2 vCPU, 4 GB RAM)

- **OS:** Ubuntu 22.04 LTS or Ubuntu 24.04 LTS

- **Storage:** 100 GB gp3, EBS encrypted at rest (AWS managed KMS key)

- **Wazuh Version:** 4.14.4 (all-in-one: manager + indexer + dashboard)

- **Security Group:** SG-WAZUH

- **Dashboard Access:** https://wazuh.catalyst.internal (via VPN only)

- **TLS:** Self-signed certificate; root CA at /etc/wazuh-dashboard/certs/root-ca.pem

- **Alert Retention Target:** 1 year

- **Wazuh repo disabled** to prevent accidental upgrades

**SG-WAZUH Inbound Rules:**

| Port | Protocol | Source | Description |

|------|----------|--------|-------------|

| 22 | TCP | 10.20.0.0/16 | SSH via VPN |

| 443 | TCP | 10.20.0.0/16 | Wazuh dashboard via VPN |

| 1514 | TCP | 172.31.0.0/16 | Agent communication from old VPC |

| 1514 | UDP | 172.31.0.0/16 | Agent communication from old VPC |

| 1514 | TCP | 10.20.0.0/16 | Agent communication within Catalyst VPC |

| 1514 | UDP | 10.20.0.0/16 | Agent communication within Catalyst VPC |

| 1515 | TCP | 172.31.0.0/16 | Agent registration from old VPC |

| 1515 | TCP | 10.20.0.0/16 | Agent registration within Catalyst VPC |

### Redmine Server (redmine-tickets)

- **Private IP:** 10.20.137.102 (or separate IP — referred to as redmine-tickets in Wazuh)

- **Purpose:** SOC2 ticketing system

- **Database:** Small RDS instance in private subnet

- **Wazuh Agent:** v4.14.4, reporting as "redmine-tickets"

- **Wazuh repo disabled**

### WireGuard VPN Server

- **Location:** Public subnet of Catalyst Secure VPC

- **Has Elastic IP:** Yes (public-facing for VPN clients)

- **Purpose:** Provides remote access into the private subnet for management of all internal servers, access to Wazuh dashboard, Gitea, Redmine, SSH, etc.

---

## Servers — Public Default VPC (Being Migrated)

All servers below are scheduled to migrate to the Catalyst Secure VPC private subnet.

### 1. Production Server (catalystv2)

- **Private IP:** 172.31.46.77

- **Services:** Apache + PostgreSQL

- **Has Public Elastic IP:** Yes

- **Wazuh Agent:** v4.12.0 (needs upgrade to 4.14.4), reporting as "catalystv2"

- **Notes:** Highest-risk migration. Will be moved last. Elastic IP should eventually be reassigned to the reverse proxy.

### 2. Development Server

- **Private IP:** 172.31.59.250

- **Services:** Near-clone of production, multiple test subdomains and databases

- **Wazuh Agent:** v4.14.4, reporting as "development"

### 3. Gitea Server

- **Private IP:** 172.31.61.251

- **Services:** Git hosting (Gitea)

- **Wazuh Agent:** v4.12.0 (needs upgrade to 4.14.4), reporting as "gitea"

- **Access:** Will be via VPN only after migration

### 4. Wazuh Server (OLD — Decommissioned)

- **Status:** Login broken after updates, not in use

- **Action:** Can be terminated. Replaced by new Wazuh server in Catalyst Secure VPC.

### 5. Python Platform Dashboard Server

- **Purpose:** Dashboard application in development, moving to production soon

- **Wazuh Agent:** Not yet confirmed in dashboard (may be missing or named differently)

### 6. Email Notifications Server

- **Private IP:** 172.31.12.137

- **Purpose:** Outbound email notifications only

- **Wazuh Agent:** v4.12.0 (needs upgrade to 4.14.4), reporting as "emailnotifications"

- **Notes:** Needs outbound internet (via NAT Gateway after migration) for SMTP. Uses SES or similar.

### 7. WireGuard VPN Server (OLD)

- **Status:** Replaced by WireGuard server in Catalyst Secure VPC

- **Action:** Can be terminated once all clients are migrated to new VPN endpoint.

---

## Servers — Stopped (Not Running)

### Production Clone Server

- **Purpose:** Intended for future load balancing

- **Setup:** Configured like the production server

- **Plan:** Will be launched in Catalyst Secure VPC private subnet after production is migrated, then placed behind the reverse proxy alongside production.

### PostgreSQL v18 Server

- **Purpose:** Intended to become the new production database

- **Plan:** Will be launched in Catalyst Secure VPC private subnet. Streaming replication from current production PostgreSQL should be set up before the production cutover to minimize downtime.

---

## Security Group Strategy

Security groups are named by server role (e.g., SG-WAZUH, SG-PROD, SG-DEV). The plan is to use security group references instead of CIDR-based rules once all servers are in the same VPC. During the migration, CIDR-based rules (172.31.0.0/16 and 10.20.0.0/16) are used for cross-VPC communication.

**Planned security groups:**

| Name | Purpose |

|------|---------|

| SG-PROD | Production server and load balancer |

| SG-DEV | Development server |

| SG-GITEA | Gitea git hosting |

| SG-WAZUH | Wazuh manager/indexer/dashboard (created) |

| SG-DB | PostgreSQL v18 and RDS instances |

| SG-REDMINE | Redmine ticketing |

| SG-EMAIL | Email notifications |

| SG-DASHBOARD | Python platform dashboard |

| SG-VPN | WireGuard VPN (public subnet) |

| SG-PROXY | Reverse proxy (public subnet, future) |

Once all servers are in the Catalyst Secure VPC, rules should be updated from CIDR ranges to security group references for tighter access control. The 172.31.0.0/16 rules can be removed after migration is complete and the VPC peering connection is deleted.

---

## Migration Status

| Phase | Description | Status |

|-------|-------------|--------|

| 0 | Build VPC, subnets, peering | Complete |

| 1 | Deploy Redmine + RDS in private VPC | Complete |

| 2 | Move WireGuard to new VPC | Complete |

| 3 | Deploy reverse proxy (public subnet) | Not started |

| 4.1 | Migrate Wazuh | Complete (fresh install) |

| 4.2 | Migrate Gitea | Not started |

| 4.3 | Migrate Email Notifications | Not started |

| 5 | Migrate Development Server | Not started |

| 6 | Migrate Python Dashboard | Not started |

| 7 | Migrate Production + DB cutover | Not started |

| 8 | Set up Load Balancer | Not started |

| 9 | Cleanup old VPC | Not started |

**Pending tasks:**

- Upgrade Wazuh agents on emailnotifications, gitea, and catalystv2 from v4.12.0 to v4.14.4

- Confirm Python Dashboard server has a Wazuh agent

- Terminate old Wazuh server in Public Default VPC

- Terminate old WireGuard server in Public Default VPC

- Disable Wazuh apt repository on all agent servers to prevent accidental upgrades

---

## Target Architecture

```

                        INTERNET

                           │

              ┌────────────┼────────────┐

              │      PUBLIC SUBNET      │

              │                         │

              │  ┌───────────────────┐  │

              │  │   Reverse Proxy   │  │  ← Elastic IP (future, production traffic)

              │  │  (Nginx/HAProxy)  │  │

              │  └────────┬──────────┘  │

              │            │            │

              │  ┌───────────────────┐  │

              │  │  WireGuard VPN    │  │  ← Elastic IP (VPN access)

              │  └────────┬──────────┘  │

              │            │            │

              │  ┌───────────────────┐  │

              │  │   NAT Gateway     │  │  ← Outbound internet for private subnet

              │  └────────┬──────────┘  │

              └───────────┼─────────────┘

                          │

              ┌───────────┼─────────────┐

              │     PRIVATE SUBNET      │

              │                         │

              │  Production Server      │

              │  Development Server     │

              │  Gitea Server           │

              │  Wazuh Server           │

              │  Redmine (SOC2)         │

              │  Python Dashboard       │

              │  Email Notifications    │

              │  PostgreSQL v18 Server  │

              │  Load Balancer Server   │

              │  RDS Instance           │

              │                         │

              └─────────────────────────┘

```

---

## Key Design Decisions

- **Encryption at rest** is handled at the EBS volume level (AWS KMS), not at the application level. The Wazuh server's 100 GB volume is encrypted. All future servers should follow this pattern.

- **Internal DNS** uses Route 53 Private Hosted Zone (catalyst.internal) so services can be referenced by name rather than IP. Both VPCs are associated with this zone during migration.

- **Wazuh agents point to wazuh.catalyst.internal** rather than a direct IP, so the Wazuh server can be replaced or moved without touching agent configs.

- **VPC Peering** is temporary — it bridges the old and new VPCs during migration. It will be removed when all servers are in the Catalyst Secure VPC.

- **Wazuh apt repositories are disabled** on all servers after installation to prevent accidental upgrades from breaking the system.

- **The production Elastic IP** will eventually be reassigned to the reverse proxy so that the public IP remains stable regardless of which backend server handles traffic.