RFID Tracking & Business Intelligence Platform
Multi-region AWS infrastructure powering RFID-based international postal receptacle tracking across 50+ countries and five continents, with real-time data enrichment and embedded Power BI dashboards.
Overview
This is a production business intelligence platform that tracks international postal receptacles through their cross-border journey using RFID infrastructure. It fills the visibility gap that EDI messaging alone cannot cover — providing the actual physical timestamps of when receptacles leave origin facilities, move through transit, and arrive at destination, rather than relying solely on system-generated scan events.
The platform measures three operational KPIs for international Leg 2 monitoring:
- Outbound performance — elapsed time between dispatch declaration and the actual physical handover at origin
- Transportation time — true transit duration based on physical facility exit and arrival, not processing timestamps
- Inbound performance — elapsed time between physical arrival at destination and processing confirmation
These metrics are made possible by linking EPC RFID transponders to S9 receptacle identifiers. While EDI messaging only captures electronic events at predefined points, RFID provides the physical timestamps at facility entry and exit gates that reveal what messaging cannot see.
Architecture
The platform runs across two AWS regions connected by VPC peering:
- eu-north-1 (Stockholm) — primary region: all application workloads, reporting database, CDN, enrichment pipeline
- eu-central-1 (Frankfurt) — secondary: Aurora PostgreSQL EPC-to-S9 matching database, DMS replication origin
Data Flow
- RFID readers at facility entry/exit points capture receptacle movements as EPCIS events (tag ID, read point, timestamp)
- On-premise EPCIS system (Elasticsearch) pushes events in real time via REST/JSON to the Edge API on AWS
- Frankfurt Aurora holds the EPC-to-S9 matching data — the correlation between each RFID tag and its S9 receptacle identifier. AWS DMS continuously replicates this to Stockholm
- PostgreSQL enrichment triggers join the incoming RFID events with the S9 matching data on every insert, computing status and enriching with facility geolocation
- Power BI dashboards read from the pre-enriched output table, providing interactive reporting with role-based access per country and postal organization
In addition to automated EPCIS ingestion, the platform supports manual file uploads: operators can extract RFID data for any time period and upload it directly via the S3 ingestion pipeline, enabling historical analysis and data backfills outside the automated flow.
Application Layer — ECS Fargate
Four containerized services run on Fargate with internal communication via AWS Cloud Map and ECS Service Connect. All services run at minimal size with autoscaling configured to keep costs low under normal load:
| Service | Role |
|---|---|
| YARP Gateway | Reverse proxy, JWT auth, routing |
| API Service | .NET 8 backend, RFID event ingestion and reports |
| Users Service | Identity, roles, permissions |
| Hangfire | Background jobs, data normalization, scheduled refresh |
Only YARP is exposed through the ALB. API, Users, and Hangfire are internal-only via Service Connect.
Data Pipeline — PostgreSQL Enrichment Triggers
All enrichment logic runs as PostgreSQL triggers — not application code. Triggers fire automatically on every insert:
- Deduplication — Keeps only the earliest and latest read per tag per facility. Prevents table bloat from repeated scans at the same reader.
- Geolocation enrichment — Looks up facility coordinates by read point and populates geographic data automatically.
- Status calculation — Joins the RFID event against S9 matching data, extracts origin/destination codes, and computes the receptacle's operational status.
Power BI reads exclusively from the enriched output table — a flat, pre-joined, pre-calculated view. No live joins, no complex DAX.
Cross-Region Replication — AWS DMS
The Frankfurt Aurora database holds the EPC-to-S9 matching data — the link that connects each physical RFID read to a specific receptacle identity in the postal supply chain. Without this, RFID events are movement data with no postal context.
AWS DMS replicates this matching data to Stockholm in full load + CDC mode, keeping it continuously in sync. A column transformation rule corrects a data quality artifact in the source to ensure tag IDs match correctly across both systems. VPC Peering connects the two regional VPCs privately, allowing the DMS replication instance to reach the Frankfurt source without traversing the public internet.
File Ingestion Pipeline
Operators and contractors can upload RFID flat files to S3 for manual ingestion. An S3 event triggers Lambda, which validates and routes each file to EFS. Hangfire picks up the files and processes them through the same normalization pipeline as the automated flow. SNS sends email notifications on successful uploads.
Frontend & Authentication
The Angular SPA is compiled to S3 and served through CloudFront with a custom domain and ACM certificate. CloudFront routes traffic to the appropriate backend based on request type.
Keycloak on EC2 (Graviton2) handles OAuth2/OIDC authentication with country-level access control — each postal organization accesses only its own data.
AWS Services
| Service | Purpose |
|---|---|
| ECS Fargate | Four containerized services with autoscaling |
| ECR | Container image registries for all services |
| Cloud Map + Service Connect | Internal service discovery |
| ALB | Layer 7 load balancing with HTTPS termination |
| WAF | Request filtering and traffic protection |
| RDS PostgreSQL | Primary reporting database (Stockholm) |
| Aurora PostgreSQL | EPC-to-S9 matching database (Frankfurt) |
| DMS | Full Load + CDC cross-region replication |
| VPC Peering | Stockholm ↔ Frankfurt private connectivity |
| VPC Endpoints | Private access to ECR, Secrets Manager, CloudWatch |
| NAT Gateway | Outbound internet access from private subnets |
| CloudFront + OAC | Angular SPA CDN with secure S3 origin access |
| ACM | SSL/TLS certificates for CloudFront and ALB |
| S3 | Frontend assets + operator file uploads |
| Lambda | File validation and EFS routing on S3 events |
| EFS | Shared filesystem between Lambda and Hangfire |
| Keycloak on EC2 | OAuth2/OIDC authentication with per-country access control |
| Secrets Manager | Database credentials and service configuration |
| SNS | File upload email notifications |
| CloudWatch Logs | Centralised logging for all ECS services and RDS |
| IAM + OIDC | Task roles, least-privilege policies, GitHub Actions federation |
| GitHub Actions | CI/CD pipeline with OIDC federation, no stored AWS keys |
| AWS CDK | Full infrastructure defined as code across 9 CloudFormation stacks |
Key Design Decisions
Database-level enrichment over application logic. All deduplication, geolocation lookup, status calculation, and S9 joining runs via PostgreSQL triggers. The enrichment pipeline is independent of the ingestion path — whether data arrives via automated EPCIS push or manual file upload, the same triggers fire and produce the same enriched output.
DMS over custom replication. Chose DMS for cross-region replication for its managed CDC pipeline, GUI-based setup, and built-in transformation rules for correcting data quality issues in the source.
Service Connect requires explicit CI/CD handling. Standard ECS deployment tooling silently drops Service Connect configuration on every deploy. A post-deploy step re-applies the correct configuration for each service — without it, internal service communication breaks with no obvious error.
Dual ingestion paths. Automated EPCIS push handles real-time operational data. Manual file upload via S3 handles historical backfills and ad-hoc data loads — both feed the same processing pipeline without any application code changes.
Infrastructure as Code with AWS CDK. The entire platform is defined across 9 CloudFormation stacks (Network, Security, Database, ECS, CDN, Storage, Functions, Replication, OIDC) — fully reproducible and version-controlled.
Results
| Metric | Value |
|---|---|
| Countries served | 50+ across 5 continents |
| RFID records processed | 65M+ events with trigger-based enrichment |
| Regions | eu-north-1 (primary) + eu-central-1 (secondary) |
| Replication | Real-time CDC via DMS |
| Enrichment | Fully automated via PostgreSQL triggers |
| Infrastructure cost | ~$700–$1,000/month services + ~$30–50 per million events |
Services run at minimal size with autoscaling. The platform infrastructure (RDS, ECS Fargate, ALB, VPC, DMS replication) runs at $700–$1,000/month regardless of data volume. On top of that, every million RFID events processed adds approximately $30–50, driven by database write throughput, trigger processing, and storage growth.