Deployment
Infrastructure Overview
The reference deployment runs on AWS in the af-south-1 (Cape Town) region,
fronted by Cloudflare for global CDN, DNS, DDoS protection, and SSL/TLS. The
complete infrastructure topology is shown below.
%% IOM Digital Tool - Deployment Diagram
%% Complete infrastructure architecture - Official IOM Terminology
graph TB
subgraph Internet["INTERNET"]
Users["USERS<br/>(Web, Mobile, WhatsApp, USSD)"]
Partners["PARTNER SITES<br/>(Employment, Training, AGR)"]
end
subgraph CloudflareLayer["CLOUDFLARE CDN"]
CDN["Global CDN<br/>Static cache<br/>DDoS Protection<br/>SSL/TLS"]
DNS["DNS Management<br/>Routing<br/>Failover"]
end
subgraph AWSCloud["AWS CLOUD (af-south-1 Cape Town)"]
subgraph FrontendLayer["FRONTEND LAYER"]
CloudFront["CloudFront CDN<br/>Static assets<br/>SPA distribution"]
S3Web["S3 Bucket<br/>Next.js build<br/>React Native assets"]
end
subgraph LoadBalancing["LOAD BALANCING"]
ALB["Application Load Balancer<br/>HTTPS termination<br/>Health checks<br/>Auto-scaling trigger"]
end
subgraph ComputeLayer["COMPUTE LAYER - EKS Cluster"]
subgraph K8sPods["Kubernetes Pods"]
NextJS["Next.js App<br/>Frontend SSR<br/>Replicas: 3"]
NestJS["NestJS API<br/>Backend<br/>Replicas: 5"]
FastAPI["FastAPI<br/>AI-Powered<br/>Recommendation Engine<br/>Replicas: 3"]
ETL["ETL Pipeline<br/>Python + Celery<br/>Workers: 10"]
Analytics["Analytics API<br/>Python + R<br/>Replicas: 2"]
end
subgraph K8sServices["Kubernetes Services"]
IngressController["Ingress Controller<br/>Routing<br/>SSL"]
end
end
subgraph DataLayer["DATA LAYER"]
RDS["Amazon RDS PostgreSQL<br/>Multi-AZ deployment<br/>Automated backups<br/>Read replicas: 2"]
ElastiCache["ElastiCache Redis<br/>Session store<br/>Cache layer<br/>Rate limiting"]
QdrantCluster["Qdrant Vector DB<br/>Self-hosted on EC2<br/>Embeddings storage<br/>Similarity search"]
end
subgraph StorageLayer["STORAGE LAYER"]
S3Data["S3 Buckets<br/>User documents<br/>CV files<br/>Uploads"]
S3Logs["S3 Logs<br/>Application logs<br/>Access logs<br/>Audit trails"]
end
subgraph MessagingLayer["MESSAGING LAYER"]
SQS["Amazon SQS<br/>Job queues<br/>ETL tasks<br/>Email queue"]
SNS["Amazon SNS<br/>Notifications<br/>SMS alerts<br/>Event bus"]
Kinesis["Kinesis Data Streams<br/>Real-time analytics<br/>Event streaming"]
end
subgraph AILayer["AI LAYER"]
Bedrock["Amazon Bedrock<br/>LLM inference<br/>Claude models<br/>Embeddings"]
SageMaker["SageMaker<br/>Optional<br/>Model training<br/>Custom ML"]
end
subgraph MonitoringLayer["MONITORING & OBSERVABILITY"]
CloudWatch["CloudWatch<br/>Metrics<br/>Alarms<br/>Dashboards"]
end
end
subgraph LocalInfra["LOCAL INFRASTRUCTURE CAMEROON"]
subgraph STDigital["ST DIGITAL (Yaounde)"]
LocalDB["PostgreSQL Replica<br/>Read-only<br/>Data sovereignty<br/>Low latency local"]
LocalCache["Redis Cache<br/>Local caching<br/>Session backup"]
end
subgraph TelecomProviders["TELECOM OPERATORS"]
MTN["MTN Cameroon<br/>SMS Gateway<br/>USSD Gateway"]
Orange["Orange Cameroon<br/>SMS Gateway<br/>USSD Gateway"]
end
subgraph WhatsAppGateway["WHATSAPP BUSINESS"]
TwilioWhatsApp["Twilio WhatsApp API<br/>AI Agent Assistant<br/>Chatbot<br/>Message routing"]
end
end
subgraph ExternalServices["EXTERNAL SERVICES"]
subgraph MonitoringExternal["EXTERNAL MONITORING"]
GrafanaCloud["Grafana Cloud<br/>LGTM Stack<br/>Prometheus<br/>Loki logs<br/>Tempo traces"]
end
subgraph EmailService["EMAIL SERVICE"]
SendGrid["SendGrid<br/>Transactional emails<br/>Marketing emails<br/>Templates"]
end
subgraph DataSources["PARTNER DATA SOURCES"]
MINEFOP["MINEFOP API<br/>Training programs"]
FNE["FNE API<br/>Job postings"]
EmploiCM["Portal Scraping<br/>emploicameroun.cm<br/>camerjob.com"]
FAO["FAO API/Files<br/>AGR Programs"]
Microfinance["Microfinance API<br/>CAMCCUL, MC2, etc"]
end
end
subgraph CI_CD["CI/CD PIPELINE"]
GitHub["GitHub<br/>Code repository<br/>GitHub Actions"]
ArgoCD["Argo CD<br/>GitOps<br/>K8s deployment"]
SonarQube["SonarQube<br/>Code quality<br/>Security scan"]
Trivy["Trivy<br/>Container scanning<br/>Vulnerability detection"]
end
%% User connections
Users --> CDN
CDN --> DNS
DNS --> CloudFront
CloudFront --> S3Web
Users --> ALB
CDN --> ALB
%% Load Balancer connections
ALB --> IngressController
%% Ingress to Pods
IngressController --> NextJS
IngressController --> NestJS
IngressController --> FastAPI
IngressController --> Analytics
%% Backend to Data
NestJS --> RDS
NestJS --> ElastiCache
NestJS --> S3Data
FastAPI --> RDS
FastAPI --> QdrantCluster
FastAPI --> Bedrock
FastAPI --> ElastiCache
ETL --> RDS
ETL --> S3Data
ETL --> SQS
Analytics --> RDS
Analytics --> Kinesis
%% Messaging connections
NestJS --> SQS
NestJS --> SNS
FastAPI --> SNS
SQS --> ETL
SNS --> SendGrid
SNS --> MTN
SNS --> Orange
%% WhatsApp connections
Users -.WhatsApp.-> TwilioWhatsApp
TwilioWhatsApp --> NestJS
TwilioWhatsApp --> FastAPI
%% USSD connections
Users -.USSD.-> MTN
Users -.USSD.-> Orange
MTN --> NestJS
Orange --> NestJS
%% Data Sources connections
ETL -.Scraping/API.-> EmploiCM
ETL -.API.-> MINEFOP
ETL -.API.-> FNE
ETL -.API/Files.-> FAO
ETL -.API.-> Microfinance
%% Local Infrastructure connections
RDS -.Replication.-> LocalDB
ElastiCache -.Sync.-> LocalCache
Users -.Local Access.-> LocalDB
%% External redirection connections
NestJS -.Redirect.-> Partners
%% Monitoring connections
NestJS --> CloudWatch
FastAPI --> CloudWatch
ETL --> CloudWatch
CloudWatch --> GrafanaCloud
RDS --> CloudWatch
NestJS -.Logs.-> S3Logs
FastAPI -.Logs.-> S3Logs
%% CI/CD connections
GitHub --> ArgoCD
GitHub --> SonarQube
GitHub --> Trivy
ArgoCD --> K8sPods
%% Styles for better visibility
classDef awsService fill:#FF9900,stroke:#232F3E,stroke-width:4px,color:#000,font-size:15px,font-weight:bold
classDef k8sService fill:#326CE5,stroke:#fff,stroke-width:4px,color:#fff,font-size:15px,font-weight:bold
classDef dataService fill:#527FFF,stroke:#000,stroke-width:4px,color:#fff,font-size:15px,font-weight:bold
classDef externalService fill:#4CAF50,stroke:#1B5E20,stroke-width:4px,color:#fff,font-size:15px,font-weight:bold
classDef localService fill:#FFC107,stroke:#F57C00,stroke-width:4px,color:#000,font-size:15px,font-weight:bold
classDef monitoringService fill:#9C27B0,stroke:#4A148C,stroke-width:4px,color:#fff,font-size:15px,font-weight:bold
class CloudFront,ALB,RDS,ElastiCache,S3Web,S3Data,S3Logs,SQS,SNS,Kinesis,Bedrock,SageMaker,CloudWatch awsService
class NextJS,NestJS,FastAPI,ETL,Analytics,IngressController k8sService
class QdrantCluster dataService
class SendGrid,TwilioWhatsApp,MINEFOP,FNE,EmploiCM,FAO,Microfinance,Partners externalService
class LocalDB,LocalCache,MTN,Orange localService
class GrafanaCloud,SonarQube,Trivy,ArgoCD,GitHub monitoringService
Figure 7. Deployment diagram — full infrastructure architecture.
Layers
Layer |
Responsibilities |
|---|---|
Edge (Cloudflare) |
Global CDN, static caching, DDoS protection, SSL/TLS, DNS, failover |
Frontend |
CloudFront CDN + S3 (Next.js build, React Native web assets) |
Load balancing |
Application Load Balancer (HTTPS termination, health checks, auto-scaling triggers) |
Application |
FastAPI AI engine, web frontend, and partners portal (containerized) |
AI services |
Ollama embeddings, Qdrant vector DB, Gemini via OpenRouter |
Data |
PostgreSQL (managed), Qdrant storage volumes |
Clients reach the platform over the public Internet (web, mobile, and — per the reference design — WhatsApp / USSD channels), while partner sites are integrated for opportunity sourcing and external application redirection.
Containers
The AI engine, web frontend, and partners portal each ship a Dockerfile.
Build and run them as part of a container orchestration setup (for example ECS,
Kubernetes, or Docker Compose):
docker build -t oim/ai-engine ./oim-ai-recommandation-engine-staging
docker build -t oim/frontend ./oim-frontend-staging
docker build -t oim/partners ./oim-partners-front-staging
Qdrant runs from the official qdrant/qdrant image with a persistent storage
volume; Ollama runs the bge-m3 model; PostgreSQL is provisioned as a managed
or self-hosted instance.
Mobile Builds
The mobile application is built and distributed with EAS (Expo Application
Services). Build profiles are defined in eas.json; configure signing and
distribution channels there before producing Android / iOS binaries.
Self-Hosted (ST Digital, Cameroon)
For data-residency requirements, the Security and Privacy Plan documents a self-hosted deployment on ST Digital infrastructure in Cameroon. This involves translating the AWS reference services to their self-hosted equivalents and applying the environment-specific security controls described in Security and Privacy.