Lesson 0001 · ~15 minutes

AWS core, mapped from the Cloudflare you already know

Case AI Interview prep · Layer 1 of the whiteboard · Rosetta Stone · Glossary
Why this lesson AWS is a hard requirement for the Case AI role and your most visible gap. The win here: by the end you can draw their platform's skeleton on a whiteboard and name why each box exists. Everything later (RAG, security, evals) hangs off this picture.

1 · The one mental shift

You already think in serverless primitives — Workers, D1, R2, Queues. AWS has a twin for each (full mapping table here). The real difference is this:

Cloudflare hides the datacenter. AWS hands it to you.

On Cloudflare you never chose a network, a firewall rule, or an identity for your code — the platform decided. On AWS, three concepts you've never needed do that work, and they're exactly where interviewers catch people who've "read about AWS" but never used it:

Trap concepts — no Cloudflare analogue VPC — your private network, split into public subnets (internet-facing: load balancer) and private subnets (app containers, database — unreachable from outside).
IAM roles — identity for workloads: your container assumes a role and receives temporary credentials scoped to exactly the actions it needs (least privilege — AWS's own doctrine). No long-lived keys, ever.
ALB — the explicit HTTPS front door: TLS termination, health checks, spreading traffic across containers in multiple availability zones.

2 · The Case AI skeleton

Here is a defensible first-whiteboard answer to "how would you run our platform on AWS?" — a document-heavy legal SaaS with a web portal, an API, and background AI processing:

Lawyer / client browser
↓ HTTPS
Route 53 → CloudFrontDNS → CDN edge (the "Cloudflare layer", now explicit)
VPC — region ap-east-1, spread over 2+ availability zones
ALB — public subnetsTLS, health checks, routing
ECS Fargate services — private subnetsNext.js portal + API containers · each task assumes an IAM role
↓   ↓   ↓
Aurora PostgreSQLcases, users, matters — later + pgvector for embeddings
S3the documents themselves (contracts, filings)
SQS → ingestion workersasync pipeline: extract → chunk → embed (Lesson 0003)
Secrets ManagerDB password, LLM API keys — fetched at runtime
NAT Gatewayoutbound calls to Anthropic/OpenAI from private subnets
CloudWatchlogs, metrics, alarms

Narrate it in one breath: "Traffic comes in through Route 53 and CloudFront, hits an ALB in the public subnets, which forwards to Fargate containers in private subnets. They talk to Aurora for relational data, S3 for documents, and push heavy document processing onto SQS so the API stays fast. Each service has its own least-privilege IAM role, secrets come from Secrets Manager at runtime, and everything is spread across two AZs." That paragraph is the deliverable of this lesson.

3 · The one decision they will ask about: Lambda vs Fargate

Both are "serverless compute". AWS's own decision guide frames it the way you should:

LambdaECS Fargate
Shape of workShort, event-driven bursts (S3 upload triggers, queue consumers)Long-running services (the API, the web portal)
Hard limits15-minute max runtime, cold startsNone of those — but no scale-to-zero, slower deploys (image pulls)
Case AI fit"Thumbnail the upload", "consume one SQS message"The portal/API; a 40-minute OCR-and-embed job over a 500-page filing

Sound bite: "Fargate for the always-on services, Lambda for event-driven glue — and any document job that might exceed 15 minutes is automatically a container job."

Whiteboard drill — do this now, out loud, in English Close this page. On paper, redraw the skeleton from memory — boxes and arrows only — then narrate it for 60 seconds as if the interviewer just asked "walk me through how you'd deploy Case AI on AWS." Done? Reopen and check what you dropped. (Retrieving from memory is the point; rereading is not practice.)

4 · Prove it — retrieval quiz

Primary source

Read the pillar summaries of the AWS Well-Architected Framework (~20 min, skim depth). It's AWS's own design doctrine — six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, sustainability — and interviewers at AWS-shop companies borrow its vocabulary wholesale.

Questions? Anything fuzzy — why the DB sits in a private subnet, what a security group rule looks like, how a task "assumes" a role — ask your teacher (the agent) in the session. That's what it's for. Next lesson: 0002 — The request's journey (DNS, CDN edges, where your backend actually runs — born from your follow-up questions); security & compliance follows as 0003.