# Architecture overview Architecture overview This section provides a reference implementation architecture diagram for the components deployed with this solution. Dynamic Image Transformation for Amazon CloudFront offers two deployment architectures to meet different performance and cost requirements. The Lambda architecture provides cost-optimized serverless processing for images up to 6 MB. The ECS architecture delivers high-performance processing for images up to 100 MB and includes advanced features like transformation policies, non-S3 origin support, and an administrative interface. This solution provides two architecture options, each optimized for different use cases and performance requirements. # Lambda Architecture This cost-optimized serverless architecture is suitable for most image transformation workloads with images up to 6 MB. **Important** This solution is intended for customers with public applications who want to provide an option to dynamically change or manipulate their public images. Because of these public requirements, this template creates a publicly accessible, unauthenticated CloudFront distribution and [Amazon API Gateway](https://aws.amazon.com/api-gateway/) endpoint in your account, allowing anyone to access it. For more information on API Gateway authorization, refer to the [Security](security.md) section. This solution supports signing requests, which can serve to restrict unauthorized requests, for more information, refer to the . **Lambda architecture for cost-optimized image processing** ![\[serverless image handler architecture\]](http://docs.aws.amazon.com/solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/images/serverless-image-handler-architecture.png) **Note** AWS CloudFormation resources are created from [AWS Cloud Development Kit](https://aws.amazon.com/cdk/) (AWS CDK) constructs. The high-level process flow for the Lambda architecture is as follows: 1. An [Amazon CloudFront](https://aws.amazon.com/cloudfront/) distribution provides a caching layer to reduce the cost of image processing and the latency of subsequent image delivery. 1. [Amazon API Gateway](https://aws.amazon.com/api-gateway/) provides endpoint resources and initiates the [AWS Lambda](https://aws.amazon.com/lambda/) function. 1. A Lambda function retrieves the image from a customer’s existing [Amazon S3](https://aws.amazon.com/s3/) bucket and uses `sharp` to return a modified version of the image to the API Gateway. 1. A solution-created S3 bucket provides log storage, separate from your customer-created S3 bucket for storing images. 1. (Optional) If you enter `Yes` for the **Enable Signature** template parameter, the Lambda function retrieves the secret value from your existing [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) secret to validate the signature. 1. (Optional) If you use the smart crop or content moderation features, the Lambda function calls [Amazon Rekognition](https://aws.amazon.com/rekognition/) to analyze your image and returns the results. 1. The viewer request is proxied through an Amazon CloudFront function to normalize headers and query parameters for improved cache hit rates. # ECS Architecture This high-performance container-based architecture supports images up to 100 MB and includes all advanced v8.0.0 features including transformation policies, non-S3 origin support, and administrative interface. **ECS architecture for high-performance image processing** ![\[serverless image handler alb ecs architecture\]](http://docs.aws.amazon.com/solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/images/serverless-image-handler-alb-ecs-architecture.png) The high-level process flow for the ECS architecture is as follows: 1. An Amazon CloudFront distribution provides global caching and content delivery. 1. An [Application Load Balancer](https://aws.amazon.com/elasticloadbalancing/application-load-balancer/) (ALB) distributes incoming requests across multiple ECS tasks for high availability and scalability. 1. [Amazon Elastic Container Service](https://aws.amazon.com/ecs/) (ECS) tasks running on [AWS Fargate](https://aws.amazon.com/fargate/) process image transformation requests using containerized applications. 1. ECS tasks maintain in-memory caches of transformation policies and origin mappings for fast request resolution and reduced latency. 1. Images are retrieved from multiple origin types: Amazon S3 buckets or external HTTP-accessible domains based on configured origin mappings. 1. An administrative interface built with [AWS Amplify](https://aws.amazon.com/amplify/) provides policy and origin management capabilities through a secure web interface. 1. [Amazon DynamoDB](https://aws.amazon.com/dynamodb/) stores transformation policies, origin configurations, and mapping rules with high availability and performance. 1. [Amazon Cognito](https://aws.amazon.com/cognito/) provides authentication and authorization for the administrative interface. 1. (Optional) Amazon Rekognition integration for smart cropping and content moderation features. # Component descriptions ## Application Load Balancer (ALB) Distributes incoming image transformation requests across multiple ECS tasks, providing high availability and automatic scaling capabilities. The ALB performs health checks on ECS tasks and routes traffic only to healthy instances. ## Amazon ECS with AWS Fargate Runs containerized image processing applications without managing servers. ECS tasks automatically scale based on demand and maintain in-memory caches for optimal performance. Fargate provides serverless compute for containers, eliminating the need to provision and manage EC2 instances. ## Administrative Interface A web-based management console built with AWS Amplify that allows administrators to configure and manage image origins (both S3 and external sources), create and edit transformation policies, set up origin mappings using path-based and host-header routing, monitor system performance and usage metrics, and test configurations before deployment to ensure proper functionality. ## Amazon DynamoDB Stores configuration data including transformation policies, origin definitions, and mapping rules. DynamoDB provides fast, predictable performance with seamless scalability for configuration lookups. ## Amazon Cognito Provides secure authentication and authorization for the administrative interface, supporting user management, multi-factor authentication, and role-based access control.