Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

Phase 4 — Cloudflare records to add for staging ​

Status: pending Taha action, 2026-04-21. Purpose: delegate the stage.askflorence.health subzone from Cloudflare to Route 53 in the staging AWS account. All engineering DNS (ACM, SES, future ALB + CloudFront aliases) auto-managed by Terraform in Route 53.

Architecture ​

  • Apex askflorence.health stays on Cloudflare permanently. Holds G Suite MX records, Google Search Console + other verification TXT records, marketing redirects, and (at Phase 10 cutover) a CNAME to the prod CloudFront distribution.
  • stage.askflorence.health subzone is delegated to Route 53 in the staging AWS account (549136075525). Terraform manages every record inside it.
  • Future prod pattern (Phase 8): prod.askflorence.health → Route 53 in prod account. Apex stays on Cloudflare with a CNAME-flattened record pointing to CloudFront for the consumer-facing app.

Action: add 4 NS records at Cloudflare ​

Add the following as NS records on askflorence.health at Cloudflare. DNS-only (no proxy / gray cloud).

TypeNameValueTTLProxy
NSstagens-1115.awsdns-11.orgAutoOFF
NSstagens-1945.awsdns-51.co.ukAutoOFF
NSstagens-410.awsdns-51.comAutoOFF
NSstagens-973.awsdns-57.netAutoOFF

Cloudflare represents this as four rows with the same name stage and type NS, each pointing to one of the AWS nameservers. After adding, recursive resolvers world-wide will route all *.stage.askflorence.health queries to Route 53.

What happens after the NS records are live (~1-5 min propagation) ​

Terraform already created everything else in Route 53:

  • 1 CNAME for ACM cert validation
  • 3 CNAMEs for SES DKIM tokens
  • 1 MX for SES MAIL FROM feedback routing
  • 1 TXT (SPF) on MAIL FROM subdomain
  • 1 TXT (DMARC) on the subzone

Once delegation is live:

  • ACM: validates the cert for stage.askflorence.health + *.stage.askflorence.health. Transitions from PENDING_VALIDATION to ISSUED typically within 5 min. Terraform's aws_acm_certificate_validation resource will complete.
  • SES: verifies the stage.askflorence.health identity (checks DKIM CNAMEs). Transitions from PENDING to SUCCESS typically within 5-30 min. SES is sandboxed by default — you'll need to request production access (out of sandbox) before real emails can go to arbitrary recipients, but identity verification is the prerequisite.

Verification ​

From any machine:

bash
# Confirm NS delegation is live
dig +short NS stage.askflorence.health
# Expect: 4 ns-* AWS nameservers

# Confirm ACM cert status
aws --profile askflorence-staging acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:549136075525:certificate/3023432f-d564-4a3c-8db5-e4a7423c9c2f \
  --query 'Certificate.Status' --output text
# Expect: ISSUED (may be PENDING_VALIDATION for first ~5 min)

# Confirm SES identity
aws --profile askflorence-staging sesv2 get-email-identity \
  --email-identity stage.askflorence.health \
  --query '[VerifiedForSendingStatus,DkimAttributes.Status]' --output text
# Expect: True SUCCESS (first column may be False initially)

# Confirm all Route 53 records are queryable world-wide
dig +short CNAME _2ce2a5f6fea59d599db1cbf96e35df98.stage.askflorence.health
# Expect: _0c6d7ec5ae3a4885ddf1691b4cd9c22b.jkddzztszm.acm-validations.aws.

Phase 8 prod equivalent (future) ​

When Phase 8 ships the prod account mirror, the same pattern repeats:

  • Create Route 53 hosted zone for prod.askflorence.health in prod AWS account (039624954211)
  • Taha adds 4 NS records at Cloudflare for prod delegation
  • Terraform manages all records in the prod subzone

Separately, at Phase 10 DNS cutover, Taha updates one Cloudflare record — the apex askflorence.health CNAME — from Vercel to the prod CloudFront distribution. Cloudflare's CNAME flattening makes the apex resolve directly to CloudFront.

Related ​

  • Phase 4 Terraform: infra/envs/staging/dns.tf + consolidated acm.tf + ses.tf
  • Modules with Route 53 integration: infra/modules/acm/ + infra/modules/ses/ (both accept manage_dns_in_route53 = true to auto-manage records)
  • Change log: change-log.md
  • Architecture plan: apex-on-Cloudflare, engineering-in-Route53 hybrid per 2026-04-21 decision
Pager
Previous pageData sources & ingest
Next pageChange Log

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.