AnswerLayer is a BYOC (Bring Your Own Cloud) application — all infrastructure runs inside the customer's AWS account. Deployment is orchestrated by Nuon , which provisions a runner agent via CloudFormation that executes Terraform to manage the application stack (ECS, RDS, ALB, S3). Below: the Nuon orchestration layer (left) and AnswerLayer application stack (right) inside YOUR COMPANY's AWS account . Customer data is accessed from your data sources via secure connectors.
ANSWERLAYER CONTROL PLANE api.nuon.co | runner.nuon.co YOUR COMPANY USERS Browser | API | MCP YOUR COMPANY AWS ACCOUNT All resources provisioned and managed within your account | Data never leaves RUNNER INFRASTRUCTURE CloudFormation stack | Orchestration layer RUNNER SUBNET Auto Scaling Group t3a.medium | Nuon Runner Agent Executes Terraform via assumed IAM roles SG: All outbound IAM ROLES (STS ASSUME) PROVISION MAINTENANCE DEPROVISION PHONE HOME LAMBDA Python 3.12 | CloudFormation CustomResource Reports VPC/subnet/role info back to Nuon API Fires on stack Create / Update / Delete CLOUDWATCH runner logs | 7d retention ANSWERLAYER APPLICATION STACK 5 Terraform components deployed by Nuon Runner PUBLIC SUBNETS (3 AZs) APPLICATION LOAD BALANCER Internet-facing | HTTP(80) -> HTTPS(443) redirect TLS 1.3 | ACM certificate (Route53 validated) Route53 A record -> ALB alias SG: 80+443 from 0.0.0.0/0 | Target group :8000 PRIVATE SUBNETS (3 AZs) ECS CLUSTER FARGATE + FARGATE_SPOT | Container Insights ECS FARGATE SERVICE ANSWERLAYER CONTAINER answerlayer-core:{image_tag} from ECR React frontend (bundled) | Health: /healthz SG: :8000 from ALB SG only | All outbound Task Role: S3 rw, Bedrock invoke Exec Role: ECR pull, CloudWatch logs, secrets Target Group :8000 RDS POSTGRESQL User: answerlayer | Password: Secrets Manager Backups: 7d | Performance Insights: on Encrypted storage (AES256) SG: :5432 from ECS SG only :5432 S3 BUCKETS AES256 encryption | All public access blocked IAM: s3:Put/Get/Delete via Task Role BEDROCK VPC ENDPOINT com.amazonaws.{region}.bedrock-runtime Interface endpoint | Private DNS enabled SG: HTTPS(443) from ECS SG SECRETS MANAGER answerlayer-secrets: CLERK, ENCRYPTION_KEY RDS auto-managed secret: DB_PASSWORD Read by Task Execution Role at container start CLOUDWATCH /ecs/answerlayer | 30d ECR PULL Cross-account IAM EXTERNAL SERVICES YOUR DATA SOURCES Customer data warehouse | AWS-hosted CLERK AUTH SQL connector
VPC endpoint / internal AWS
Secrets injection (startup)
