Deploying A Highly Scalable AWS 3-Tier Architecture
……………………….What is 3-Tier Architecture?……………………..
3-Tier Architecture is a client-server architecture that consist of three main components namely, process logic, data access, data storage in addition a user interface which helps in developing and maintaining modules independently on separate platforms.
Three-tier architecture can be used in the development of various infrastructures. For this project we will be taking a look at a three-tier architecture relating to AWS. Before we start lets take a deeper look at the components that help make this system.
Why is it called 3 tiers?
This is called 3 tiers because the system has three distinct layers or tiers. The user accesses the application using a frontend also known as the presentation layer, this layer interacts with the application layer also known as the backend, and this application layer or backend saves and retrieves information from the database as needed.
For this project we will be building the 3 tiers system with various components namely, designated region(EU-WEST-2), an internet gateway for internet access, a designated virtual private cloud (VPC) for security, application load balancer for high availability, different AZ in the same region for durability and scalability, public and private subnets for performance and speed, NAT gateway, Autoscaling groups, EC2 and private relational database for storage.
Importance of 3 Tier Architecture:
- It adds reliability and more independence of the underlying servers or services.
- It gives you the ability to update the technology stack of one tier, without impacting other areas of the application.
- Components are reusable
- Faster development, as division of labour is implemented. Web designer does presentation, software engineer does logic, and Database admin does data modelling.
- Applications can exploit the modular architecture of enabling systems using easily scalable components, which increases availability.
Aim and Objectives
You have been asked to design and Create a highly available 3 Tier architecture.
- Include subnet for your web tier, and Database Tier.
- Security Groups should be configured so that only trusted security groups from the tier above have access. Example: The Application Tier should only trust the traffic from the Web Tier Security.
- The web tier should use EC2 instance with the OS of your choice (free tier) in an Auto scaling Group that have static web page display that can be reached from the internet.
- The application tier should use EC2 instance with the OS of your choice (free tier) in an Auto Scaling Group (although we don’t have any code to make it a true application tier. A place holder EC2 should work for demo purposes since we don’t have application code to use)
- Use a free tier RDS instance for the database tier.
Prerequisite:
- AWS Account with IAM user
- Appropriate IAM permissions
LET’S BEGIN!!!
- Creating a VPC
In the AWS console, navigate to the search tab and type “VPC.” Once you are in the VPC section click “Create VPC”, there we will input the VPC name, set an IPv4 CIDR to 10.0.0.0/16, ensure you click on “VPC only” and create the VPC as shown in Image 2.
2. Creating Subnets
We will create 6 subnets (2 for each layer). We will name them, Public Frontend Subnet 1 and 2, Private Backend Subnet 1 and 2, and Private Database Subnet 1 and 2. When creating each subnet we have to select our VPC, name the subnet, choose the availability zone, and assign a CIDR as shown in Image 3.
Ensure the 1st and 2nd subnet of each tier is in the same availability zone. If successful your subnet page show look like Image 4
3. Internet Gateway
Let’s set up the internet gateway. In the VPC service section, click on “Internet Gateways” in the left hand column, create a internet gateway . After creating a new Internet Gateway, under “Actions,” click on “Attach to VPC and if successful your page should look like image 5 and 6.
4. Creating The Nat Gateway
We will now be creating the NAT gateway so that our private subnets can reach the internet and also the other services in the VPC. Navigate to the left panel and select “NAT Gateway”, then select “Create NAT Gateway”. You will want to name your NAT Gateway, assign it to the second public subnet and assign it an Elastic IP by selecting “Allocate Elastic Ip”. Scroll down and select “Create NAT Gateway” as shown in image 7.
5. Creating and Configuring Route Tables
In order to ensure the three tier system is functioning and communicating well with each other there are certain services that need to be created, namely the route table and subnet association. In the search bar navigate to VPC, on the left tab click on “Route tables” and click on “Create route table”. Create three tables for the Private, Public and Database as shown in the image 8 and select the VPC created earlier.
After creating the route tables now it is time to associate the tables to their designated destinations. Click on the Public route table you created earlier and navigate to the “Edit routes”, you will be prompted with Image 9, after you will need to fill out the table destination to “0.0.0.0/0” and the target to the internet gateway you created earlier.
You will need to recreate the same process for the Private and Database Route Table, the only difference is that you will need to get the target to the NAT Gateway you created earlier, as shown in Image 10.
Now you will need to associate the subnets to the different routing tables. On the route table page click on the Public route table then navigate to the “Subnet Associations” tab and click on the “Edit subnet associations”. You will be prompted with all the subnets you have previously created, select the public subnets you created in order to link the subnet to the routing table and click on the “save associations” as shown in Image 11.
You will need to repeat the same process for the Private and Database subnets.
Next, we will create auto scaling groups, but before we do that we need to create launch template.
From the AWS console, navigate to Instances and click Launch templates > Create launch template.
From here complete the following:
- Name your Template & provide description if desired. (Week-9-EC2)
- Auto Scaling guidance — check the box that says “Provide guidance to help me set up a template that I can use with EC2 Auto Scaling”
- Instance type — select t2.micro
- Select the AMI you want -I chose the Amazon Linux
- Create or select an existing key pair
- Configure security group rules. For this step, we will create two rules for ssh and HTTP with 0.0.0.0/0 as the source. As you can see from the alert message, by setting the source to 0.0.0.0/0 will allow all IP addresses to access our instance. *Note: do not set the source to 0.0.0.0/0 for anything other than demonstration purposes. This can be a major security issue.
- Under Advanced network configuration — Click ENABLE: Auto-assign public IP
- In the Advanced details section, add the below bootstrap script under User data
#!/bin/bash
sudo yum update -y
sudo yum install -y httpd
sudo systemctl start httpd
sudo systemctl enable httpd
Create Web Tier Auto Scaling Group
- Navigate to EC2 in the search tab
- On the left scroll down to “Auto Scaling” and click on “Auto Scaling Groups” and fill in with the desired name and launch template.
4. Select the VPC created earlier and the Availability Zones and subnets — pick the two we created in Step 1: Public1 & Public2
5. Next you will be prompted with the load balancer options. In this section:
- Click Attach to a new load balancer
- Name your Load Balancer
- For Load balancer scheme click “Internet-facing”
- Attach the VPC from Step#1: “week9-project-vpc”
- Select your subnets
- Under Listeners and routing: HTTP:80
- New target group name — Attach your load balancer: “AutoScalingconfiguration1”
6. Next we need to configure group size and scaling policies:
After this section skip to the end and create the auto scaling group unless you desired to add tags.
7. We will repeat the steps to create an auto scaling group, but this time for a Private launch configuration (in my case “Application Auto Scaling”). Create a new auto scaling group, and then go to “Create a Launch Configuration.” If creation is successful for both the Web and Application Auto scaling then you should be prompted with Image 17.
After you have created the Auto Scaling groups, we want to make sure the Security Groups are configured so that only trusted Security Groups from the tier above have access. In “Security Groups” make sure for your public SG, you allow access for HTTP and HTTPS so that anyone on the web can access your web tier, as well as SSH/Port 22 so you can SSH into the instance.
Repeat the same process for the private inbound rules.
Creating The Three Tier System Database
- Navigate to the search bar and type “RDS”, and click “Subnet groups” in the left hand column. We will select both private subnets associated with the Database Route table we created earlier “DB Routing Table”. We will also create a Multi-AZ DB instance to provide higher availability and data redundancy.
If the RDS subnet group is successful you will be prompted with Image 21
2. Navigate to RDS and click “Create Database.” Select “Standard Create” and the Engine Type used for this project is “My SQL”. In my case I will be using the Free Tier Template (Image 22).
For this project I kept the setting as default but created the password for admin (Image 23). I will also be using “db.t2.micro” for this project. Under storage, ensure you disable storage autoscaling. Under connectivity, use your VPC, select the subnet group we just created, and create a new VPC security group.
Once completed click “Create Database” to finalize the creation of the Database.
Next, we will need to update the connectivity between our database and our application tier server. Click on your database, and then “Connectivity and security.” Click on your VPC Security groups:
Edit the inbound rules for your VPC security group for the database. Add port 3306 (MySQL protocol), and for the source, add your application tier security group, Application Security Group.
Congratulations! We have successfully created a 3 tier architecture following the steps listed above.
Reachability Analyser: Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). When the destination is reachable, Reachability Analyzer produces hop-by-hop details of the virtual network path between the source and the destination. When the destination is not reachable, Reachability Analyzer identifies the blocking component. For example, paths can be blocked by configuration issues in a security group, network ACL, route table, or load balancer.
NOTE: You can test out the reachability of the tiers by using the reachability analyser, this can be found in the VPC service console. Please be aware that this is a PAID Amazon web service, it is not advised to be used unless you don’t mind being charged. For this reason I will not be using this service.
