Skip to main content
Share your experience with the FAS IT-Playbook by taking this brief survey

System Architecture

FALCON Architecture (a bird’s eye view)

FALCON architecture is an event-driven, loosely-coupled, microservices architecture that features asynchronous behavior and loosely coupled structures. This is implemented by an API for each business function and private subnets. Processing for each business function is triggered by events fired by the API for that business function. ALL FALCON APIs are private, inward facing, and all traffic to or from FALCON is from GSA Networks. FALCON has no public internet access.

FALCON High Level Architecture

Business function resources (compute, data) are aligned in a vertical under each API. The No-SQL database service DynamoDB is used for almost all data, and MySQL is used where appropriate. AWS Simple Storage Service (S3) is used for non-database at-rest file storage. Permissions, encryption keys, and file access are segregated by business vertical. Events trigger processing. Events are loosely coupled through AWS EventBridge, AWS Simple Queue Service (SQS), and AWS Simple Notification Service (SNS). The AWS CloudWatch service tracks AWS Cloud events including API and application events above.

FALCON is designed, implemented and operated using DevSecOps. GSA Security staff are directly involved in all stages, daily scrums, deployments and operations. FALCON microservice architecture consists of AWS Lambda handlers providing compute capacity for code execution in an asynchronous capacity. Each Supply Chain business function uses dedicated API endpoints to broker web service requests either from partner applications like OMS, or the FALCON Portal UI. All API endpoints are secured through custom headers (X-API-KEY) that identify the calling entity and without this key endpoint access is not possible. Additionally, all traffic to and from each API endpoint is secured through SSL/TLS traffic protocols.

Code review and scanning tools are described below.

FALCON system access occurs through API calls. Each API has a security group, AWS WAF, and is reached through an AWS PRivateLink Network Endpoint. The AWS PrivateLink Network Endpoint is assigned to a private subnet, requiring API access to flow through a single path to and from the API. A path through the API security group and private subnet never traverses a public network connection. This provides layered protection for all API access. Additionally, AWS Virtual Private Gateways (VGW) are used to provide segmentation boundaries between inter and intra network traffic.

Lastly, GSA enterprise employs multiple firewalls and firewall rule sets to limit traffic flow within the enterprise. After traffic passes through GSA firewalls, FALCON scans that traffic and evaluates rules within its own collection of AWS Security Groups (SG). SGs add another layer of access control for data flow. SGs allow specific ports and by default an implicit deny is configured. This means that an explicit allow must be configured and is required for network traffic flow to occur within the FALCON VPCaaS environment.

Read more technical details below about the various components of the FALCON architecture.

DevOps/DevSecOps Management

The following practices were implemented to ensure that both DevOps and DevSecOps needs were met as part of the development of the FALCON architecture.

Serverless Design

The following sections cover the technologies within the architecture that enabled FALCON to have a serverless design.