Open in app

Sign in

Write

Sign in

Designing 3 Tier Architecture In AWS

Eddy Moran
12 min readMar 13, 2023

--

This week we are designing a company’s new web application in three tiers. Outline for the project is below:

  • Web Tier
  1. 2 public subnets
  2. Minimum 2 EC2 instances with OS of choice (free tier of course) in an auto scaling group
  3. EC2 web server security group allowing inbound permission from the internet
  4. Boot strap static web page or create a custom AMI that already includes the static web page
  5. Create a public route table and associate the 2 public subnets
  • Application Tier
  1. 2 private subnets
  2. Minimum of 2 EC2 instances with OS of choice (also free tier) in an auto scaling group
  3. EC2 application server security group allowing permission from the web server security group
  4. Associate with private route table
  • Database Tier
  1. Use a free tier MySQL RDS database
  2. The database security group should allow inbound traffic for MySQL from the application server security group
  3. 2 private subnets
  4. Associate with private route table

Before we start:

Let’s set up a Virtual Private Cloud (VPC). Navigate to VPC on the AWS Console and click on “Create VPC”. Select VPC only, name it, make sure that IPv4 CIDR is set to manual, and enter 10.10.0.0/16. Yes I’ve used this CIDR block before and I’m using it again for familiarity. Then click on “create VPC” at the bottom.

The VPC is now available and ready for action.

Now to set up our Subnets. We’re setting up a total of 6- 2 public subnets for the web tier, 2 private subnets for the application tier, and 2 private subnets for the database tier.

Navigate to Subnets and click on “Create subnet”. Select the VPC you just made for the VPC ID, name your subnets in order of what they are for. I went with this web/application/database-tier-public/private-# scheme but of course you can name them however you want.

This project is to have 2 availability zones so let’s select AZ 1a for this first subnet and 1b for the 2nd one. I’m following the order of the outline above so I’m starting with the web tier public subnets first. For the IPv4 CIDR block I went with another familiar scheme- 10.10.1/2/3/4/5/6.0/24.

Instead of clicking “create subnet” at the bottom, we’re going to click on “add new subnet” to make the rest of the subnets. See screenshots below for visual example of how I created them:

We can see below that all 6 subnets have been created.

Lets not forget to set up the “enable auto-assign public IPv4 address” in the public subnet settings. Just select the subnets one at a time, go to “Actions” on the top, and go to “edit subnet settings”.

Ok! All of our subnets are set up properly now.

Next, we need to make an internet gateway. Let’s navigate to that section on the AWS Console and get it started. Name it and then click on “create internet gateway”.

Let’s make sure we attach it to the VPC we just made. To do that, we go to “actions” and select “attach to VPC”.

On the next page select the VPC and click on “attach internet gateway”.

The VPC is now attached.

Next up, it’s time to create a Nat gateway. Let’s go to that section in the VPC dashboard and click on “Create NAT gateway” to set it up.

Let’s name it and select one of the public subnets for it. Leave the connectivity type on public. Allocate an elastic IP and then click “create NAT gateway”.

As usual I like to verify that it was setup right.

Next on the to-do list is route tables. We’ll be setting up a public and private route table. Go to route tables on the VPC dashboard and click on “create route table”.

Let’s name the route table and select our VPC we made. Click “create route table”.

We’re not done with this route table yet. We need to add the two public subnets to it. To do that, we go to the Explicit subnet associations section and click on “Edit subnet associations”.

Select the public subnets and click “Save associations”.

We’re still not done here. Now we go to routes and click “Edit routes” to add the internet gateway to the route.

Click ‘add route” and select 0.0.0.0/0, then “Internet Gateway” for the target. Click “Save changes”.

Now we can create the private route table. We can just repeat the same process of naming the table and selecting the VPC but we should include private on the name so we can find it later.

When we go to “Edit subnet associations”, we’re going to check all 4 private subnets and click “Save associations”.

For the routes, we’re going to add a route with destination 0.0.0.0/0 on this table too but for the target, we’re selecting NAT gateway instead of internet gateway. Save the changes.

We now have the infrastructure needed to set up the three tiers. It’s a good time to take a short breather before continuing.

We’re going to built the tiers one at a time starting with the web tier.

Web Tier

Go to Launch templates in the EC2 dashboard and click on “Create launch template”.

Let’s name the template, add a version description, and check the “Provide guidance” box under Auto Scaling guidance.

On the next section below, choose a free tier OS. I go with old reliable which is Amazon Linux.

For Instance type, I went with another old reliable which is t2.micro but you can chose another free tier option. I created a new key pair for this specific project but you can opt to use an existing one you already have if you’d like.

For the next section, Network settings, select “Create security group”, name it, and add a description. Select the VPC we made for this project and click on “Add security group rule”.

Select ssh for the Type section, and 0.0.0.0/0 for the source. Click “add security group rule”. Select HTTP for the type and 0.0.0.0/0 for the source. In the Advanced network configuration section, click “add network interface”. Select Enable for Auto-assign public IP.

Now let’s go to Advanced details and scroll down to User data. We’re going to enter a script here for an Apache web server.

#!/bin/bash

#Update
sudo yum update -y

#Install
sudo yum install -y httpd

#Start
sudo systemctl start httpd

#Enable
sudo systemctl enable httpd

Lastly, click “Create launch template”.

So far so good!

Before we try to make the next tier, let’s create an auto scaling group. Go to Actions after clicking on the template and select “Create Auto Scaling group”.

Name the group, select the launch template you just made, and click “Next”.

Select the VPC for this project and the two public web tier subnets. Click “Next”.

Select Attach to a new load balancer, Application load balancer, and Internet-facing. Then select Create a target group and click “Next”.

Select 2 for Desired and Minimum capacity, 4 for Maximum capacity. Leave everything else in default and click “Next” from here to the final screen and click “Create auto scaling group”.

We should have two instances running… and here they are.

Let’s make sure we can access the Apache servers!

Web tier is done. Now we can move on to the application tier.

Application Tier

This should be a lot quicker to set up for us given that we’re repeating the same process we did for the web tier for the most part but with a few differences.

On the EC2 dashboard, go back to Launch Templates → Create launch template. Let’s name the template and add a description. Be sure to check “Provide guidance” on the Auto scaling guidance section, click on quick start and choose the same free tier OS you used for the web tier- in my case, Amazon Linux.

Use the same free tier instance type as the web tier- I went with t2.micro, and select the key pair we made for this project. Next, network settings → create security group. Name it and add a description, then select the VPC you’ve been using for the project. Click “Add security group role”.

Select ssh for type, and select the security group we made for this project as the source. Add a 2nd security group rule and select “All ICMP-IPv4” for the type, and 0.0.0.0/0 as the source. Leave everything else in default and click “Create launch template”.

Let’s set up the auto scaling group for it.

Select the template → Actions → create auto scaling group.

Name it, select the template we just made, and click “Next”. Select the VPC, and the corresponding availability zones for this tier. Click “next” again to move on tot he next screen.

We’re going to go with No load balancer for the app tier and click “Next”.

The Group size will be the same as the web tier- Desired and Minimum capacity will be 2 and maximum capacity will be 4. Click “Next”.

Skip the next few screens until you get to the review and click “Create auto scaling group”.

It was successfully created but let’s also check to see of the instances are up and running.

Yes they are!

I was considering taking another break… but no, let’s knock out the database tier asap!

Before we jump on that, it’s a good idea to name the instances for good organization. It’s optional of course, but why not? I named mine after their subnets like so:

One more thing before we move on to the database tier, let’s SSH into the web tier’s subnet 1 to verify we can ping the app tier from the web tier.

Select the corresponding instance and click “Connect”. Click on SSH client, and open your preferred terminal app on your computer. Navigate to the directory where you saved the key pair for this project.

*Run the following command on the terminal to make sure the key pair file has the right permissions.

chmod 400 yourkeypair.pem

Copy the example on the SSH client screen and paste it on your terminal. Once we have access to the instance, run the ping command for the private IP address of the app tier’s private subnet.

It’s working!

type in ctrl C to stop the ping.

Alright! Now we can start the last tier.

Database Tier

Search for RDS on the AWS console and click “Create database”.

Select Standard create and MySQL

Select free tier for the templates and name the database. You can keep admin for the master username but be prepared to make a master password.

For Instance configuration let’s make sure burstable classes is checked and then skip to the connectivity section to select the VPC for the project. Click “Create new” for VPC security group and name it. Leave everything else at default as you scroll down and click “Create database” at the bottom.

It will take a few minutes. Take a small break in the meantime.

It’s good to go!

Last thing left is editing the security group for this tier. Go the VPC dashboard in the AWS console and click on security groups. Select the security group for the database tier, click “Actions”, and select “Edit inbound rules”.

Delete the security group rule, click “Add rule”, select MySQL/Aurora for the Type, and select the database security group for the Source. Click “Save rules”.

That’s the last step for 3 tier project!

  • Be sure to delete or stop instances, nat gateways, and other services we created so you don’t get any surprise charges.

Thank you for reading!

Cloud Computing
AWS
Ec2
Rds
DevOps

--

--

Eddy Moran

Written by Eddy Moran

125 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams