Using a Jump Server as well as building and accessing a Three-tier architecture (Web/App/Data) while exploring the ability to access MYSQL RDS..
The simplicity of the Jump Server allows any Admin or Developer to login from a centralized location and access other workstations or servers securely using a Key Pair stored on the Jump Server itself.
I will be providing some insight into this and how it’s role is integrated along with a Three-tier architecture.
I will go through the process of creating the Jump Server (EC2 instance) as well as the rest of the architecture itself.
THINGS TO CONSIDER:
JUMP BOX PROVIDES CENTRALIZED ACCESS
It is actually an EC2 that contains no special 3rd party software. It should have the essentials needed to run at a minimum. This EC2 instance will be a jumping point or perhaps a landing site to where we can “jump” to other servers or instances.
From a security stand-point; this is a good thing because we are able to have a separation of privileged and open resources on the networks.
NAT GATEWAY IS PUBLIC FACING:
Allows private nodes or devices to communicate to both public and external networks.
NAT Gateways must be in a public subnet along side an internet gateway. The Presence of a route for the NAT Gateway must be inserted into a Route for the private route tables.
INTERNET GATEWAY IS PUBLIC FACING
It must be in a public subnet along with a NAT Gateway in order to route traffic to and from the VPC.
LOAD BALANCERS
Knowing that the public facing Application Load balancer will take the brunt of the traffic for the web server instances you will also need to place an internal load balancer for the Application servers as well.
VPC Mistake:
if you perhaps have two or more VPCs it’s easy for the default option in the drop down menu to be a different VPC other than the one you are aiming to use. Please be sure to make certain that you are selected the correct VPC for your project when each and every resources is being manually created.
CREATING SECURITY GROUPS…
First create a security group for your Jump Server or Bastion Host to allow SSH inbound. Generally you will want to use a specific IP address for secure access and not an anywhere IP such as 0.0.0.0/0. This is just an example after-all.
Jump Server security group
Simple SSH access as shown below..
Web Tier security group
- (Pinging) from only within the network..
- SSH from only the Jump Server security group…
- HTTP from anyone on the web…
App Tier security group
- (Pinging) from only within the network..
- SSH from only the Jump Server security group…
- HTTP only from Web Tier security group
DB Tier Security Group
- HTTP from APP Tier
- (MYSQL) 3306 from APP Tier
- (MYSQL) 3306 from Jump Server
Creating VPC, IGW, NATGW, Subnets, Route Tables/Routes..
Start off by first having a VPC created. Mine will be called “3-Tier-VPC”
My CIDR for my is 10.0.0.0/16. This will allow a large pool of Networks and IP addresses to be obtained from a Class B network(xx.0.0/16) which has 16,384 network addresses and 65534 usable addresses per network.
Internet Gateway:
Internet gateway called “public-IG”
Attach your internet gateway to your VPC
NAT Gateway:
Note: You must create an Internet Gateway and attach it to your VPC and then create a Nat Gateway or else upon creating a Nat Gateway you will get status message of “failed”.
Create a NAT gateway and place it into one of your public subnets. I will be placing mine in web-pub-1a and using an elastic IP.
Subnets:
List of Subnets:
Public subnet:
10.0.0.0/24
10.0.1.0/24
Private subnet
10.0.2.0/24
10.0.3.0/24
Private subnet
10.0.4.0/24
10.0.5.0/24
Routes Tables:
(#1) Public Route Table (web-pub-route-table)
(#2) Private Route Table (app-priv-route-table)
(#3 )Private Route Table (db-priv-route-table)
Subnet Associations:
In order to assign each subnet from … you need to click on each route table and click on the Subnet associations tab and then click the “Edit subnet associations” button.
Assign the correct subnet to the corresponding Routing Table.
Routes:
Next, you need to click on each route table and click on the Routes tab and then click the “Edit routes” button.
PRIVATE ROUTES:
We will edit our route to include access for any traffic that is not for any devices on our VPC of 10.0.0.0/16 (0.0.0.0 ; any other )will be sent out to the NAT gateway for processing (3-Tier-NG). Select the natgateway that you created. Do this for both Private App Table and Private DB Table.
PUBLIC ROUTE:
We will edit our route to include access for any traffic that is not for any devices on our VPC of 10.0.0.0/16 (0.0.0.0 ; any other )will be sent out to the Internet gateway for processing (public-IG).
Create Launch Templates
WEB SERVER LAUNCH TEMPLATE
Select Free Tier Amazon Linux 2 AMI(HVM)
Select the Free tier T2 micro and create your Keypair
- Assign to your public subnet (1a)
- Use the Sec-Web-Tier security group
- Click on Advanced network configuration and choose Enable for Auto-assign public IP.
- If you do not do this, no one will be able to view your website because you will not have an IP.
APP SERVER LAUNCH TEMPLATE
Now create another launch template for your application tier.
Leave the rest of the settings for things such as the EC2 type, etc like the web tier and scroll down to the keypair and network settings. Assign a different keypair and assign this launch template to a private subnet for the App Tier Subnet.
Create Autoscaling Groups …
WEB TIER AUTOSCALING GROUP
For the Web Tier I am creating an Autoscaling group called “Web-ASG”. I am assigning our launch template of “Web-Tier-LT” to it.
Select the correct VPC. For our default autoscaling group subnet I am still using (web-pub-1a) which is in East-1a.
I am attaching a load new balancer(creating) to this autoscaling group.
I selected the “Internet-facing” option as this will host a website.
I selected us-east-1b in order to assign a second subnet for the Autoscaling group
For the Application Load Balancer I have attached a target group (Web-Target) to the listener on port 80.
I am selected a min of 1 and a max of 2. Helps me to save some money while I try to do this tutorial!
Finish creating your Autoscaling group…
APP TIER AUTOSCALING GROUP
For the App Tier , the settings are pretty much the same except that instead of using a public facing load balancer , you will use an internal load balancer. You will be using the east-1c and east-1d private subnets.
Creating Jump Server Instance…
I create an EC2 instance called ‘My-Jump-Server” with the basic free tier options..
- Please remember to click on the correct VPC
- Select the correct PUBLIC subnet
- Enable auto-assign public IP(at least for this project)
MYSQL initial setup in AWS…
First select the “Easy create” option …
Name your instance, create credentials and connect to an EC2 compute resource; I selected the application server tier.
Scroll down and select “Free tier”
CONNECT TO JUMP SERVER…
After I have successfully SSH’d into my Jump Server.
I will attempt to ping both the running Web Server and App Server instances.
LAUNCH INTO WEB SERVER AND APP SERVER
Start off by creating a new file within the Jump Server using the same keypair name that the Web server would recognize. In our cause it will be “weblaunch.pem”
Take your downloaded “weblaunch.pem” file on your own computer and copy the contents of it and paste it into this new weblaunch.pem file that is being created on the jump server. Essentially, we are creating a duplicate by copying from original file into an empty file on the jump server.
Do the same for the App server that is running.
I will attempt to launch from the Jump Server into the Web Server that is currently running in AWS…
As you can see I have successfully launched into my Web Server. Notice the IP add the bottom of the screen that has changed. When I exit it will revert back to the Jump Server instance. Notice the IP change at the bottom.
I will attempt to launch from the Jump Server into the App Server that is currently running in AWS
As you can see I have successfully launched into my Web Server. Notice the IP add the bottom of the screen that has changed.
Install MYSQL on APP Server…
List of commands to install MYSQL on your App server
#configure the EPEL repository that is required for package installation
sudo amazon-linux-extras install epel -y
#configures the MySQL repository
sudo yum install https://dev.mysql.com/get/mysql80-community-release-el7-5.noarch.rpm
#Installs mysql community edition
sudo yum install mysql-community-server Run MYSQL commands to start the Mysql service and check status
#start the Mysql server
systemctl start mysqld
#check status
systemctl status mysqld CONNECTION TO RDS THROUGH YOUR APP SERVER
GRAB ENDPOINT TO CONNECT TO RDS
Click on your highlighted(in blue) Database that was created in RDS
Under the Connectivity & Security Tab, copy the endpoint
Notice down below that I have inserted the RDS database endpoint into my command as :
“mysql -h mydb-mysql.cy1mpqsxtb4j.us-east-1.rds.amazonaws.com -u admin -p”
mysql -h mydb-mysql.cy1mpqsxtb4j.us-east-1.rds.amazonaws.com -u admin -p
RDS DATABASE CREATE DATABASE, CREATE TABLE
Just a simple example of creating a Database called “Personnel” and creating a table called “employees’ with the fields “name, age, dept”…
CREATE DATABASE Personnel;
SHOW databases;
USE Personnel;
CREATE TABLE employees(name VARCHAR(10) NOT NULL,
age INT NOT NULL,
dept VARCHAR(30) NOT NULL);
DESCRIBE employees;
CONCLUSION…
CREATED SECURITY GROUPS
- JUMP SERVER
- WEB TIER
- APP TIER
- DB TIER
CREATED VPC, IGW, NATGW, SUBNETS, ROUTE TABLES
- INTERNET GATEWAY
- NAT GATEWAY
- SUBNETS
- ROUTE TABLES
- ROUTES
CREATED LAUNCH TEMPLATES, AUTOSCALING GROUPS
- WEB LAUNCH TEMPLATE
- APP LAUNCH TEMPLATE
- WEB AUTO SCALING GROUP
- APP AUTO SCALING GROUP
AWS MYSQL RDS
- CREATED RDS MYSQL INSTANCE IN AWS
- INSTALLED MYSQL ON APP SERVER
- MANIPULATED DATABASE FROM APP SERVER
Thank you for taking the time to read.. — JR
