AWS Public Sector Blog

Architecture framework for transforming federal customer experience and service delivery

Customer experience (CX) has emerged as a key priority in the US following the 2021 Biden Administration Executive Order (EO) to transform federal customer experience and service delivery. The blog post, “How the cloud enables transformational citizen experiences” discusses key areas for organizations to consider in their journey towards better CX, with application modernization as one of the most critical areas. Application modernization enables agencies to simplify business processes and provide customers with flexible, interactive, and simple to use applications, resulting in improved CX.

In this blog post, we build on that foundation and present an Amazon Web Services (AWS) architecture framework that agencies can use to develop and deploy a modern application that helps improve CX.

Architecture framework for US federal government to rapidly deploy modern applications

 The following Figure 1 represents an architecture framework incorporating curated AWS managed services and AWS serverless services. The services listed in this framework are certified at either the FedRAMP High or Moderate baseline. We dive deeper into how this framework can help support compliance needs in more detail below. Agencies can choose services from within this framework to build the necessary components of a modern application, including hybrid connectivity, data transfer and transformation, data storage, compute, application integration, content delivery and routing, security and compliance, and development and operations (DevOps). These services represent areas that IT teams should focus on streamlining and enhancing. While not all of these services directly impact CX, they help support CX by reducing time to service delivery, accelerating application modernization, and allowing agencies to free up more time to focus on improving the CX.

By using AWS managed services, agencies can alleviate the undifferentiated heavy lifting associated with the management and maintenance of underlying infrastructure. AWS serverless services are managed services that offer “serverless” options to avoid managing physical servers and benefit from automatic scaling, built-in high availability, and a pay-for-what-you-use billing model. Using AWS managed and serverless services helps reduce the time to service delivery, so agencies have more time to focus on improving the quality and security of the application.


Figure 1: Architecture framework with curated FedRAMP compliant services.

Figure 1: Architecture framework with curated FedRAMP compliant services.

The main components of the architecture framework are as follows:

Hybrid connectivity: Government cloud applications may need to access mission critical data from on-premises software. Conversely, applications running on-premises may need data from cloud-based solutions to support business processes. Agencies can choose between two main options to securely establish connectivity of their corporate data center to AWS: AWS Site-to-Site VPN, and AWS Direct Connect. AWS Transit Gateway acts as a cloud router and simplifies complex interconnections in an expanded network. For details, refer to this whitepaper. For private connectivity within and between agency resources on AWS and your on-premises networks, AWS provides a service called AWS PrivateLink. AWS PrivateLink enables virtual private cloud (VPC) endpoints that route network traffic without needing to traverse the public internet, thereby reducing exposure to both brute force and distributed denial-of-service (DDoS) attacks, along with other threats. These services that support hybrid connectivity impact CX by providing customers with ubiquitous, secure, and reliable connectivity to apps and data from anywhere.

Data transfer and transformation: Services in this layer enable agencies to exchange data in a secure manner between an application in AWS and applications in the corporate data center. Services such as AWS Transfer Family and AWS DataSync enable secure data movement from an application in AWS and applications in the corporate data center. AWS Glue allows agencies to transform data as needed for application development. It also provides the ability to quickly find and access data in various formats using the AWS Glue Data Catalog. This layer supports CX because increasing collaboration and connectivity across IT systems drives real-time insights for customers across business applications.

Data storage: Modern applications need the ability to store varying amounts and types of data with millisecond latency, process millions of requests per second, and scale to support millions of users anywhere in the world. To store, access, protect, and analyze customer data, agencies can use Amazon Simple Storage Service (Amazon S3), file storage with Amazon Elastic File Service (Amazon EFS), and purpose-built databases such as Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB for key-value storage, and Amazon ElastiCache for in-memory storage. Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud that is up to five times faster than standard MySQL databases, three times faster than standard PostgreSQL databases, and provides the security, availability, and reliability of commercial databases at a fraction of the cost. Cost-effective, performant, and reliable data storage helps agencies manage and measure their data, which they can use to optimize their CX.

Compute: Agencies can efficiently and securely develop, deploy, run, and scale application code on AWS managed and serverless services. AWS Lambda is a service that lets you run code without provisioning or managing servers, while providing built-in fault tolerance, automatic scaling, completely automated administration, and an integrated security model. Agencies looking to build applications using containers can use Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS). Both Amazon ECS and Amazon EKS are fully managed container orchestration services that make it simple to deploy, manage, and scale containerized applications. AWS also offers a serverless compute engine option for Amazon ECS and Amazon EKS called AWS Fargate. This option enables agencies to completely remove the operational overhead of scaling, patching, securing, and managing servers for containerized applications.

Application integration: The application integration layer consists of a suite of serverless services that enable integration within as well as external to a modern application. The services in this layer handle the most common integration patterns, namely, API-driven and event-driven. Amazon API Gateway is a fully managed service that enables agencies to create, publish, maintain, monitor, and secure the APIs for API-driven applications. For event-driven integration, agencies can choose either individual or combinations of Amazon EventBridge, Amazon Simple Queue Services (SQS), and Amazon Simple Notification Service (SNS). Regardless of the type of mechanism chosen for integration, the distributed character of microservices makes it challenging to orchestrate workflows when multiple microservices are involved. Agencies can use AWS Step Functions to build applications from individual microservices that each perform a discrete function. Application integration supports CX by accelerating service delivery, application modernizing, and re-orchestrating of architecture with decoupled services and applications.

Content delivery and routing: CX often relies on consumers’ ability to access content with low latency from anywhere in the world. Amazon CloudFront speeds up distribution of static and dynamic web content. To speed up static content, Amazon CloudFront uses a global network of edge locations and regional edge caches that cache copies of content, and make sure that end-user requests are served by the closest edge location. To speed up dynamic content, edge locations collapse multiple concurrent requests for the same object into a single request and maintain persistent connections to the source of the content using high-quality networks that are monitored by for both availability and performance. Amazon Route 53 is a highly available and scalable domain name system (DNS) web service that enables domain registration, DNS routing, and health checking for the modern application. Amazon Route 53 supports Domain Name System Security Extensions (DNSSEC) signing to authenticate DNS transactions. These services support CX by providing end users with the lowest possible latency for API requests and responses by taking advantage of the AWS global network of edge locations.

Security and compliance: Figure 1 includes services built and managed not only according to security and compliance best practices and standards, but also with the unique needs of the US federal government customers. AWS uses redundant and layered controls, continuous validation and testing, third party audits, and a substantial amount of automation to make sure that the underlying infrastructure is monitored and protected 24/7. All the services in Figure 1 have been certified to meet FedRAMP requirements. With the exception of Amazon CloudFront and AWS Fargate (EKS), all the services meet the FedRAMP High baseline. Amazon CloudFront and AWS Fargate (EKS) meet the FedRAMP Moderate baseline.

AWS managed services such as AWS Key Management Service (KMS), Amazon VPC, Amazon Web Application Firewall, AWS Security Hub, and AWS Shield enable agencies to meet core security and compliance requirements, such as data locality, protection, and confidentiality while also automating manual security tasks for improved security posture. Amazon Cognito integrates with other AWS services and greatly simplifies user authentication and authorization for web and mobile apps. Maintaining security and compliance provides secure CX by protecting data and services.

DevOps: Within the DevOps layer of the framework, agencies can use a set of flexible AWS services to more rapidly and reliably build and deliver applications using DevOps practices. Agencies can use AWS Developer Tools to securely develop, store, and version an application’s source code. They can use AWS CodePipeline to build a continuous integration or continuous delivery (CI/CD) workflow that builds and deploys the code using AWS CodeBuild and AWS CodeDeploy. AWS CloudFormation enables agencies to model, provision, and manage AWS and third-party resources by treating infrastructure as code. Agencies can also take a step further, integrating security into DevOps (DevSecOps) to deliver secure and compliant application changes rapidly while running operations consistently with automation. Get more details here on how agencies can implement DevSecOps. DevOps help digital government services deliver with the same velocity and frequency that consumers expect from commercial services providers.

To meet the objectives of the CX EO, agencies can build and deploy modern applications built on microservices architectures by selecting relevant subsets of the services in the architecture framework.

AWS can help government agencies scale rapidly to deliver on CX

For help with a proof-of-concept or implementation project using this framework and reference architecture, or to learn more about AWS serverless and managed services, reach out to the AWS Public Sector Team or your AWS account team to get started.

Read more about AWS for government:

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

Sanjeev Pulapaka

Sanjeev Pulapaka

Sanjeev Pulapaka is a senior solutions architect in the U.S. Fed Civilian SA team at Amazon Web Services (AWS). He works closely with customers in building and architecting mission critical solutions. Sanjeev has extensive experience in leading, architecting, and implementing high-impact technology solutions that address diverse business needs in multiple sectors including commercial, federal, and state and local governments. He has an undergraduate degree in engineering from the Indian Institute of Technology and an MBA from the University of Notre Dame.

Mickey Iqbal

Mickey Iqbal

Mickey Iqbal is the chief technologist for US federal civilian customers at Amazon Web Services (AWS). Prior to joining AWS, Mickey was CEO of a digital health startup. Earlier, Mickey was an IBM fellow and vice president responsible for designing and deploying hybrid cloud architectures for customers across the globe. Mickey has filed more than 40 patents, co-authored three technical books and multiple research and technical publications on topics including resilient and scalable architectures, green data centers, virtualization, software delivery, and hybrid cloud computing. Mickey is a recipient of the 2018 Asian American Engineer of the Year award from