Technical specification of iMBrace platform environments including AWS Private Cloud and On-Premise deployments

iMBrace Platform Environment Specification

By: iMBrace Limited
Version: 1.0 (2025-09-12)
Author: Kong Lee
Status: First version

🏗️ AWS Private Cloud — Single Node

EC2 Instance Requirements

Category	Specification
CPU	Intel or AMD x86 (36 cores)
Memory	96 GB
Storage	Local SSD Disks: 2 TB
Operating System	RHEL-compatible (AlmaLinux 10+, Rocky Linux 9.5+), RHEL 10+, or Ubuntu 24.04 LTS+
Dependencies	Red Hat subscription may be required for dependency installation

iMBrace Platform Components

Component	Summary
Operating System	RHEL, AlmaLinux, Rocky, or Ubuntu 24.04 LTS+
System Dependencies	OS patches, essential tools, user accounts, AWS credentials, directory structure handled by automation scripts
Docker Engine	Docker Engine – Community v28.0.2 or later
Docker Compose	v2.34.0 or later
MongoDB Atlas Local	v8.0.5 or later
MongoDB	v8.0.6 or later
Redis	v7.2.4 or later
PostgreSQL DB	v15.9 or later
Apache Kafka Broker	v4.0.0 or later
iMBrace Applications	Multiple containers serving different platform layers

Firewall and Networking

Category	Specification
Public IP Address	Fixed or dynamic (1-1 NAT preferred)
Private IP Address	Fixed private IP
Inbound Rules	Allow TCP ports 22, 80, 443, 4000, 5000, 8000, 8888, 9000, 9981
Traffic Source	Private networks only (restrict port 22 via whitelist or VPN)
Outbound Rules	Allow all traffic (0.0.0.0/0)
Internet Access	Allowed

AWS Account & IAM

Create sub-accounts (member accounts) under an AWS Organization for isolation.
One IAM user with programmatic access keys and least privileges is required.
The iMBrace platform uses this IAM user to access AWS resources.

AWS VPC and Networking

Create multiple VPCs for separate environments (development, staging, production).
Configure NAT gateways for outbound internet access from private subnets.
Inbound SSH traffic should be restricted through VPN or jump hosts.

DNS Management

Use AWS Route53 to host DNS records for both public and private zones.

Bedrock Configuration

Parameter	Description
Region	`us-west-2` (Oregon)
LLM Model	Llama 4 Maverick 17B Instruct
Embedding Model	Titan Text Embeddings V2
Access	Enable Bedrock service in the AWS account
IAM Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockFullAccess",
      "Effect": "Allow",
      "Action": ["bedrock:*"],
      "Resource": "*"
    }
  ]
}

| Connectivity | The iMBrace platform (Node.js client) connects to Bedrock via HTTPS through the NAT gateway for encrypted communication. | | Configuration | All configurations for the imbrace platform to call Bedrock are implemented by configuration files. |

AWS Private Cloud — High Availability (HA)

Components Specification

Component	CPU Cores	RAM	Storage	Notes
EC2 Web	6	14.5 GB	500 GB	Region: ap-east-1
EC2 Web	6	14.5 GB	500 GB	Region: ap-east-1
EC2 Backend	6	14.5 GB	500 GB	Region: ap-east-1
EC2 Backend	6	14.5 GB	500 GB	Region: ap-east-1
MongoDB Atlas Cluster	4	16 GB	100 GB (Auto-Scale)	Tier: M40
MongoDB Atlas Cluster	4	16 GB	100 GB (Auto-Scale)	Tier: M40
AWS RDS PostgreSQL	2	4 GB	100 GB (Auto-Scale)	Type: db.t3.medium
ElastiCache Redis	2	3 GB	–	Type: cache.t3.medium
Confluent Cloud (Kafka)	Managed	Managed	Managed	Standard Cluster, ap-east-1

On-Premise — Single Node

System Requirements (Without GPU):

Category	Specification
CPU	Intel or AMD x86, 36 cores
Memory	96 GB
Storage	Local SSD Disks: 2 TB
Operating System	Red Hat Enterprise Linux 10+ (RHEL) (subscription required required to download and install necessary system dependencies and packages)
Dependencies	Proper Linux drivers for hardware compatibility

System Requirements (With GPU)

Category	Specification
CPU	Intel or AMD x86, 36 cores
Memory	128 GB
Storage	Local SSD Disks: 4 TB
GPU	4–8 × NVIDIA L20 (48 GB VRAM per GPU)
Operating System	RHEL 9.5+
Dependencies	NVIDIA CUDA Toolkit, Drivers, and Container Toolkit
Additional Notes	Other serving tools (e.g. vLLM, lmdeploy) may be used depending on model requirements.

Firewall and Networking (On-Premise)

Category	Specification
General Requirements
Public IP	Fixed or via 1-1 NAT (preferred)
Private IP	Fixed private address
Inbound Traffic Rules
Allowed Ports	TCP 22, 80, 443, 4000, 5000, 8000, 8888, 9000, 9981 (more ports can be opened upon request).
Traffic Sources	Restrict SSH (port 22) via whitelist or VPN (Port 22 (SSH) is for remotely managing server and software updates. It can be restricted by whitelisting source IP addresses or VPN solutions)
Outbound Traffic Rules
Allowed Rules	All traffic to all IP addresses (0.0.0.0/0) for all protocols.
Internet Access	The server can access the internet.

Platform Components (On-Premise)

Component	Summary
Operating System	RHEL, Rocky, AlmaLinux, or Ubuntu 24.04 LTS+
System Dependencies	Patches, tools, user setup, and credentials via automation scripts
NVIDIA Components	CUDA toolkit, drivers, container toolkit
Docker Engine	v28.0.2+
Docker Compose	v2.34.0+
MongoDB Atlas Local	v8.0.5+
MongoDB	v8.0.6+
Redis	v7.2.4+
PostgreSQL DB	v15.9+
Apache Kafka Broker	v4.0.0+
LLM Model Serving Tool	Ollama Docker Image v0.9.6 (alternatively vLLM or lmdeploy)
iMBrace Application Containers	Handle all platform layers and services

IAM, SSL, and DNS (On-Premise)

Even for on-premise deployments, create one IAM user with programmatic keys (least privileges) to access iMBrace AWS resources.
Use the customer’s SSL certificate for HTTPS configuration.
Manage DNS through the customer’s DNS server.

On-Premise — HA and Resilient

(To be confirmed in future revisions.)

iMBrace Platform Environment Specification

On this page