??Create your Custom VPC and Deploy a 3 Tier Webapp with AWS,EC2, ALB,RDS ??
You work for a growing e-commerce company that wants to leverage Amazon Web Services (AWS) to enhance its infrastructure and improve its website's performance. As part of this initiative, you have been tasked with creating a proof of concept, a sample 3-Tier Web App to showcase a scalable and secure architecture using AWS VPC, EC2, and ALB. By implementing this architecture, we will have a scalable and secure infrastructure that provides high availability, efficient traffic management, and isolation of different server components. Let's dive in! ?????
In this tutorial ??
Part I: Setting up the VPC and Subnets
Task 1: Create VPC
Now that we have 2 VPCs in the Oregon Region, we are ready to create the third one (quota is 5 per region). We will use the 22.0.0.0/16 CIDR block, providing redundant addresses per subnet. Subtracting the reserved 5 addresses, we are left with 252 usable addresses for each subnet (256-5), fulfilling the VPC requirements for this scenario. ??
Task 2: Create an Internet Gateway and attach it to the custom VPC
To enable internet access for our public subnets, we will attach an internet gateway to our VPC. Instances in the public subnets will be assigned public IP addresses. After creating the IGW, we will attach it to our custom VPC. ????
Task 3: Create public and private subnets
To ensure high availability and fault tolerance, we will create 3 public subnets in different Availability Zones (AZs) within the Oregon Region to host our web servers.
Public Subnets:
Next, we will create three private subnets to host our app servers.
Private Subnets for App Servers:
Finally, we will create three private subnets for the database servers.
Private Subnets for Database Servers:
?????
Task 4: Create a main route table for public subnets, add a route to the IGW, and edit subnet associations
The route table for the public subnets should have a route to the internet gateway, allowing outbound traffic to the internet.
Currently, we have allowed only local traffic within our VPC. To enable traffic to exit the VPC and reach the internet, we need to add a route to the customIGW. Let's create the route table, add the specified route, and associate it with the public subnets. ????
Task 5: Create a private route table for app and db tiers and edit subnet associations
The route table for the private subnets should not have a route to the internet gateway, preventing traffic from leaving the subnet. Instead, it should have a route to the Nat Gateway.
????
Task 6: Create a Nat Gateway for private subnets
Currently, we don't have any Nat Gateways in Oregon. As a best practice you should consider creating multiple NAT Gateways for redundancy. We will create only 1 NAT Gateway in Public-2A. After creating the Nat Gateway, add the following route in the private route table (appprivRT):
For instance level security we have designed security group rules allowing only necessary ports. If we look at the default NACL configuration, there's a rule 100 that all traffic, all protocols, all port ranges from any source. Since the processing order starts from 100, deny isn't processed right now.
We will add 2 deny rules to the network ACL, show how we can block a malicious ip address.
That brings us to the end of Part I. Let's move on to Part II! ???
领英推荐
Part II: Creating Application Components
In this part, we'll create an EC2 instance for our Bastion host to provide secure access to other servers that are not directly accessible from the Internet or other networks.
For the bastion server, we'll create an Amazon Linux 2 instance in the custom VPC, t2.micro type, in the Public-2A subnet, and create a new security group to allow SSH access from your IP. For app-server01 and app-server02, we'll follow the same steps, placing them in the app-Priv-2A and app-Priv-2B subnets, respectively.
Now, let's connect to the bastion host. After connecting, paste the key pair you specified during setup and make it executable by running chmod +x mykeypair.pem. With this setup, we should be able to connect to the app-servers. ??
Next, we'll prepare the LAMP server. We'll open MobaXterm, create a session, duplicate it, open multi-execution mode, and run the following commands:
sudo yum update -y
sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
cat /etc/system-release
sudo yum install -y httpd mariadb-server
sudo systemctl start httpd
sudo systemctl enable httpd
sudo systemctl is-enabled httpd
sudo usermod -a -G apache ec2-user
exit
After logging out and connecting again, we'll validate that we can see the Apache test page and our membership in the apache group, finishing the setup by running the following commands:
groups
sudo chown -R ec2-user:apache /var/www
sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \;
find /var/www -type f -exec sudo chmod 0664 {} \;
curl localhost/phpinfo.php
Lastly, for the LAMP stack, we'll install phpMyAdmin to manage MySQL databases.
sudo yum install php-mbstring php-xml -y
sudo systemctl restart httpd
sudo systemctl restart php-fpm
cd /var/www/html
wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.tar.gz
mkdir phpMyAdmin && tar -xvzf phpMyAdmin-latest-all-languages.tar.gz -C phpMyAdmin --strip-components 1
rm phpMyAdmin-latest-all-languages.tar.gz
sudo systemctl start mariadb
curl https://localhost/phpMyAdmin/
Now it's time to configure the load balancer. We'll create a load balancer named customalbSG in 3 different public availability zones and open port 80 to all IPv4 addresses. For target groups, we'll register app-server01 and app-server02, name it app-serversTG, and include them as pending below.
After creating the load balancer, we'll go back to app-SG and allow the load balancer security group (customALB) on port 80.
Next, we'll connect to the app servers using the bastion host in MobaXterm. Change the directory to cd /var/www/html and paste the following command:
echo "hello from app-server01" >index.html
echo "hello from app-server02" >index.html
Finally, we'll refresh the page to validate that the load balancer is routing traffic to both servers.
This brings us to the end of Part II. Let's move on to Part III! ??
Part III: Configuring the RDS Database
In this part, we'll go ahead to RDS and create a subnet group in 3 availability zones using the last 3 private subnets we created (22.0.7.0/24 up to 22.0.9.0/24).
For the database configuration, follow these specifications:
Leave the rest at default.
Once the database is created, after some time, we'll edit the database security group to allow traffic from app-SG. Go to the customdb-SG, delete the existing rule, and add the following:
Copy the RDS endpoint and go back to MobaXterm. Connect to the app-servers and replace the host with the RDS endpoint. Lastly, we'll enable stickiness to bind a user's session to a specific target. In customALBTG's target groups, we'll edit target group attributes and, on target selection configuration, enable stickiness.
Part IV: Validation
Append /phpMyAdmin/ to the application load balancer's DNS name and enter credentials.
We've successfully deployed a 3-tier web app, installed the LAMP stack, configured the load balancer to distribute incoming traffic evenly to app-server01 and app-server02, and ensured that the system can handle a high volume of requests without overloading any individual server. The app servers are responsible for running the PHP code and communicating with the database server to fetch and manipulate data. ??????
Useful Materials I used
Let me know what you think and share the resources you think it is helpful??
Happy AWS-ing! ???? #AWS #VPC #EC2 #ALB ?#CloudComputing #Infrastructure #Scalability #Security #lampstack #nacl