Building a Secure & Scalable Web Application on AWS ??

In my recent project, I worked on deploying a secure and scalable web application on AWS using EC2, Nginx, Node.js, ALB, CloudFront, and a Bastion Host. This setup ensures both performance and security while following best cloud architecture practices. Here’s a breakdown of my approach:

?? 1. Setting Up EC2 in a Private Subnet

One of the first steps was to deploy an EC2 instance in a private subnet for security reasons.

• Nginx was running on port 80 (Frontend).
• Node.js application was running on port 5000 (Backend).
• NAT Gateway was added to allow outbound internet access for package installations & updates

?? 2. Secure Access with a Bastion Host

Since the EC2 instance was in a private subnet, I couldn’t connect directly via SSH.

• Created a Bastion Host in a public subnet to securely connect to the EC2 instance.
• Restricted SSH access to only allow connections from the Bastion Host.

?? 3. Configuring an Application Load Balancer (ALB)

To efficiently distribute traffic and handle both Frontend & Backend, I deployed an Application Load Balancer (ALB) in a public subnet.

• Created two target groups for different ports: ? Port 80 → Nginx (Frontend) ? Port 5000 → Node.js (Backend)
• Registered the EC2 instance to these target groups.

?? 4. Adding CloudFront for Custom Domains & Security

To improve performance and security, I used CloudFront in front of the ALB.

• Configured CNAME records in Cloudflare to route custom domains through CloudFront.

• Initially tested ALB with public access and then restricted it only to CloudFront’s IP ranges.

• Faced an issue: "The maximum number of rules per security group has been reached." ? Solution: Created separate security groups for port 80 & 5000 to accommodate CloudFront’s IP prefixes efficiently.

??? 5. Database Setup & Future Enhancements

Initially, I used Azure MSSQL, but I realized it wasn’t securely connected.

• For the next phase, I plan to migrate to AWS RDS (MSSQL) for better integration & security.
• Credentials will be stored securely in AWS Secrets Manager instead of hardcoding them.

??? 6. Final Security Enhancements

?? Restricted ALB access to only CloudFront to avoid direct access. ?? Ensured least privilege access for EC2 & RDS. ?? Verified that CloudFront caching & security policies were properly configured.

?? Key Takeaways from This Project

? How to deploy a highly available & secure application using AWS best practices.

? Optimizing CloudFront + ALB for better security & performance.

? Handling security group limitations when working with CloudFront IP prefixes.

? Future improvement: Securely migrating to AWS RDS & using Secrets Manager.

This project was a great learning experience in AWS networking, security, and scalable architectures! ??

?? Have you worked on a similar setup? What challenges did you face? Let’s discuss in the comments! ??