Achieve Scalability and Agility: Refactoring My Web App on AWS (Part 4)

F. Elastic Beanstalk

F.1. Taking Control: Creating Custom Roles for Your Elastic Beanstalk Application

Before diving into Elastic Beanstalk, let’s take a step back and gain more control by creating custom IAM roles for your application. This way, you can define the exact permissions your application needs. Here’s a step-by-step guide:

1. Head over to IAM: In the AWS Management Console, navigate to the Identity and Access Management (IAM) service.
2. Create a New Role: Within IAM, find the “Roles” section and click on “Create role”.
3. Choose Service as Entity Type: This defines who can assume the role. Select “AWS service” as the entity type.
4. Select EC2 (Common Use Case): When picking a use case, “EC2” is a common choice for Elastic Beanstalk applications running on EC2 instances. Click “Next” to proceed.
5. Attach Custom Policies: Now comes the crucial part — defining permissions! Here, instead of relying on the default role, we’ll choose specific policies. Select the following policies:

6. Navigate to the next step: Scroll down. Click on “Next ”to proceed to the role creation section.

7. Name your role: A field will likely appear where you can enter a clear and descriptive name for the role you’re creating. Choose a name that reflects the responsibilities and permissions associated with the role.

8. Scroll down and create the role: Once you’ve named the role, you might need to scroll down the page to find a “Create Role” button or similar option. Click this button to finalize the creation of your new role.

If you find a role named aws-elasticbeanstalk-service-role in your IAM settings, you can safely delete it.

• This role is automatically created by Elastic Beanstalk when you set up an environment.
• We’ll be creating a new role with the same name during the current Beanstalk setup process.
• Having two roles with the same name can cause errors.
• By deleting the existing one, we avoid this issue.

F.2. Launching Your Tomcat Application on AWS Elastic Beanstalk:

Here’s a breakdown of creating a new application on Elastic Beanstalk for your Tomcat web application:

• Start the process: Navigate to the Elastic Beanstalk console and click on “Create application.”
• Choose your environment:
• Select “Web server environment” under the “Environment Tier” section. This creates an environment optimized for running web applications.
• Name your application:
• Provide a unique and descriptive name for your application. This will help you identify it easily later.
• Define your environment:
• Choose a name for your environment. Here are some suggestions:
• If it’s a production environment, use something like “prod.”
• For testing or development, consider names like “test,” “dev,” or “qa.”
• Select your domain:
• Enter a unique domain name. This will be the public URL for your application accessed through the load balancer.
• Pick your platform:
• Under “Platform,” select “Tomcat” as the platform type.
• Specify your platform version:
• Choose “Tomcat 8.5 with Corretto 11 running on 64-bit Amazon Linux 2” from the “Platform branch” options. This defines the specific version of Tomcat and Java runtime environment your application will use.
• Advanced configuration (optional):
• For most basic deployments, you can leave the preset configuration as “Custom.” However, Elastic Beanstalk offers pre-configured options for specific frameworks like Spring Boot. If you’re using a framework with pre-configured settings, you can choose that option here.
• Move on to the next step:
• Once you’ve made your selections, click “Next” to continue defining your application further.

F.3. Creating an Elastic Beanstalk Environment with Security Roles

This section walks you through setting up security roles for your Elastic Beanstalk environment. We’ll create two roles:

1. Instance Profile Role: This role defines the permissions your EC2 instances will have within the environment.
2. Service Role: This role manages the permissions Elastic Beanstalk needs to operate your application.

Step-by-Step Guide

1. Instance Profile:

• Choose the IAM role you created earlier (refer to your previous steps on IAM role creation). This role will be assigned to the instance profile.

2. Service Role:

• Select “Create new service role.” By default, this will create a role named “aws-elasticbeanstalk-service-role” with the necessary permissions.

3. EC2 Key Pair:

• Select the key pair you created previously. This key pair allows you to connect to your EC2 instances if needed.

4. VPC Configuration:

• Select the default VPC (Virtual Private Cloud).
• Check the box to “Enable Public IP.” This grants your instances a public IP address for easier access.
• You can choose all available subnet zones for deployment flexibility.

5. Tags (Optional):

• Assign tags to your environment for better organization and identification.

6. Capacity:

• Choose “Load balanced for autoscaling group” as the environment type. This ensures automatic scaling based on traffic.
• Set the minimum number of instances to 2 and the maximum to a number like 7 or 8 (since you don’t expect high load).
• Instance type: Select “t3.micro” for a cost-effective option suitable for low-traffic environments.

7. Rolling Updates and Deployments:

• Choose “Rolling” for the deployment policy. This updates your application gradually by deploying to one instance at a time while keeping others running.
• Set the “Batch size percentage” to 50% for testing purposes. This means only one instance (out of two) will be updated during each deployment cycle. In production environments, a lower percentage (around 10%) is recommended for smoother transitions.

8. Review and Launch:

• Carefully review all the settings you’ve chosen.
• Once everything looks good, click “Submit” to launch your Elastic Beanstalk environment. This process may take some time.

Remember: This is a basic example for demonstration purposes. You might need to adjust these settings based on your specific application requirements and traffic patterns. Consider conducting further research on deployment policies for optimal configurations in production environments.

F.4. Update Security Group & ELB

Step 1: Enabling ACL on your S3 Bucket

To control access to individual objects within your S3 bucket, we’ll enable Access Control Lists (ACLs). Here’s how:

1. Navigate to your S3 bucket: Make sure you select the bucket associated with your Elastic Beanstalk environment and located in the same region.
2. Access Bucket Permissions: Look for the “Permissions” tab and navigate to it.
3. Enable ACLs: Scroll down until you find the “Object Ownership” section. Click the “Edit” button.
4. Select ACL Option: Choose “ACLs enabled” from the available options.
5. Acknowledge and Save: Don’t forget to tick the checkbox acknowledging the change. Finally, click “Save Changes” to confirm.

By enabling ACLs, you gain granular control over who can access specific objects within your S3 bucket.

Step 2: Configuring Health Checks, Session Stickiness, and HTTPS for Your Elastic Beanstalk Environment

1. Setting Up Health Checks:

• Within the Elastic Beanstalk console, navigate to your environment and select “Configuration.”
• Under “Instance traffic and scaling,” click “Edit.”
• Scroll down to the “Processes” section and choose “default.”
• Click on “Actions” and then “Edit.”
• Locate the “Health Check” section.
• In the “Path” field, enter “/login” (replace this with your application’s specific login path). This tells the target group to check the “/login” URL to determine application health.
• Scroll down and find the “Sessions” section.
• Enable “Session Stickiness” to maintain user sessions on the same instance during subsequent requests.

2. Enabling HTTPS and Adding a Security Certificate:

• On the same configuration page, locate the “Listeners” section.
• Click “Add Listener.”
• Set the “Listener Port” to 443.
• Choose “HTTPS” for the “Listener Protocol.”
• Select your existing SSL certificate from the dropdown menu.
• Click “Save.”

3. Applying the Changes:

• Scroll down and click the crucial button — “Apply.” Remember, your environment health might temporarily switch to “Severe” after applying. This is expected behavior and shouldn’t cause concern. Once your application is deployed, the health status will return to “OK.”

By following these steps, you’ll ensure proper health checks, maintain user sessions effectively, and secure your Elastic Beanstalk environment with HTTPS.

Step 3: Configuring Security Groups for Your Elastic Beanstalk Application

Now that your Elastic Beanstalk environment is up and running, it’s time to configure security groups to ensure your Beanstalk instances can access your backend services securely. Here’s a step-by-step guide:

1. Find Your Beanstalk Instance Security Group ID:

• Go to the Amazon EC2 console.
• In the navigation pane, select Instances.
• You’ll see a list of instances, including your two Beanstalk instances. Choose one of them.
• Click on the “Security” tab.
• Scroll down to the “Security groups” section. You’ll see a group name associated with your instance.

2. Grant Access to Backend Services:

• In the EC2 console, navigate to the “Security Groups” section (you can find it in the left-hand navigation pane).
• Locate your backend security group (the one protecting your backend services).
• Click on the security group name to open its details.
• Scroll down to the “Inbound rules” section. This controls what kind of traffic can enter your backend environment.
• Click on “Edit inbound rules”.
• Click on “Add rule”.
• In the “Type” dropdown, select “All traffic”.
• In the “Source” field, paste the security group ID you copied from your Beanstalk instance in step 1.
• (Optional) In the “Description” field, you can add a clear description like “Allow access from Beanstalk instances”.
• Click on “Save rules” to apply the changes.

By following these steps, you’ve created a rule in your backend security group that allows traffic from your Beanstalk instances. This ensures secure communication between your application and backend services within your AWS environment.

If you need to go back to Part 1:

Achieve Scalability and Agility: Refactoring My Web App on AWS (Part 1)

Part 2:

Achieve Scalability and Agility: Refactoring My Web App on AWS (Part 2)

Part 3:

Achieve Scalability and Agility: Refactoring My Web App on AWS (Part 3)