Creating a Highly Available Three-Tier Architecture in AWS

Scenario:
You have been asked to design and create a highly available 3 Tier architecture for your company’s new web application.

Web Tier

1. 2 public subnets
2. Minimum of 2 EC2 instances with an OS of your choice (free tier) in an Auto Scaling Group.
3. EC2 Web Server Security Group allowing inbound permission from the internet.
4. Boot strap static web page or create a custom AMI that already includes the static web page.
5. Create a public route table and associate the 2 public subnets.

Application Tier

1. 2 private subnets
2. Minimum of 2 EC2 instances with an OS of your choice (free tier) in an Auto Scaling Group.
3. EC2 Application Server Security Group allowing inbound permission from the Web Server Security Group.
4. Associate with private route table.
   Note: This is not a true application tier as we don’t have any provided code to run on the EC2 instances.

Database Tier

1. Use a free Tier MySql RDS Database.
2. The Database Security Group should allow inbound traffic for MySQL from the Application Server Security Group.
3. 2 private subnets.
4. Associate with private route table.
   Note: No need to use Multi-AZ but be sure to document how you would add it

Considerations:

1. You will need to configure a public route table along with private route tables.
2. You will need a Nat Gateway in one of your public subnets to allow your instances in private subnets to update packages and patches. Make sure to include this in the private route table.
3. In order to reach your EC2 instances in the private subnets, you will either need a bastion host in the public subnet or need to use SSM. You will need to research into both to see which works better for your use case.
4. Plan out your CIDRs before you create your VPC and Subnets

What is a Three-tier architecture?

Web/Presentation tier:

The development of this tier takes place with cascading style sheets, HTML5 and Javascript and an application that is web-based or web browser is used for deploying this tier to computing device. The API (application program interface) calls are used by presentation tier for establishing communication with the remaining two tiers.

Application tier:

Another referral term used for application tier is logic tier. Programming language is used for writing application tier like Java and it also consists of business logic for the purpose of supporting core functions of the application. Hosting of the fundamental application tier takes place either on in-house dedicated server or on the distributed servers present in cloud. It depends on the processing power that is required by the application.

Database tier:

A database is present in data tier along with a program that is used for the purpose of managing writing and reading access to database. The other referral term for this tier is storage tier and its hosting is possible in cloud or on-premises. PostgreSQL, MySQL, MongoDB and Microsoft SQL are included in the popular systems of database for the purpose of managing writing/reading access.

To learn more about three-tier architecture click checkout this website.

Web/Presentation tier

Setup the Virtual Private Cloud (VPC)

1. Go to the VPC section of the AWS services, and click on the Create VPC button. Name your VPC and provide a CIDR block of your choosing for this project we choose IPv4 CIDR 10.0.0.0/16

Create 6 Subnets for our VPC

We will need to create two public subnets in different Availability Zones for the web tier, two private subnets in different Availability Zones for the application tier, and two private subnets in different Availability Zones for the database tier.

Web-public-1      | CIDR 10.0.1.0/24|  Availability Zone(us-east-1a)
Web-public-2      | CIDR 10.0.2.0/24|  Availability Zone(us-east-1b)
App-private-1     | CIDR 10.0.3.0/24|  Availability Zone(us-east-1a) 
App-private-2     | CIDR 10.0.4.0/24|  Availability Zone(us-east-1b)
Data-private-1    | CIDR 10.0.5.0/24|  Availability Zone(us-east-1a)
Data-private-2    | CIDR 10.0.6.0/24|  Availability Zone(us-east-1b)

We need to enable auto assign IP settings for our public subnets to do so click the Actions → edit subnet settings → enable Auto assign IP settings → save

Setup the Internet Gateway

To create the Internet Gateway, navigate to the Internet Gateways page and then click on Create internet gateway button.

After you create your internet gateway attach your VPC

Create Two Route Tables

We need two route tables; private route table and public route table. The public route table will define which subnets that will have direct access to the internet ( ie public subnets) while the private route table will define which subnet goes through the NAT gateway (ie private subnet).

To create route tables, navigate over to the Route Tables page and click on Create route table button. Create one Public and one Private route table.

With out two route tables available we will now attach our two public subnets to our public route table

select public route table → subnet associations → select public subnets

Next we will add out IGW to the route table

Route table → Edit Route → Add route → Destination: 0.0.0.0/0 → Target: IGW → save changes

Next we will attach our application private subnets to our private route table.

select private route table → subnet associations → select private application subnets

Create the NAT Gateway

The NAT gateway enables the EC2 instances in the private subnet to access the internet. The Nat Gateway is something that AWS will manage on their end. To create the NAT gateway:

NAT Gateways → Create NAT Gateway →Name →Subnet(Attach public web) →public connectivity type →click Allocate Elastic IP →Create Nat Gateway

Now that we have created our NAT gateway we need to go to the private route table and add our NAT gateway.

Route table → Edit Route → Add route → Destination: 0.0.0.0/0 → Target: NAT→ save changes

Create Launch Template

In the top left-hand corner, select Services → Compute → EC2 →Create launch template

Choose Launch Templates in the left-hand column menu, then select Create launch template

Choose you AMI for this project I’m selecting Amazon Linux and I’m using a key pair I created for an earlier project but feel free to create on if needed.

For network settings we will leave our subnet info as default. We will then create a security group. Provide a name and allow Ports 22 and 80 to be configured within the group.

Once that is configured then scroll to advance details and in the user data field paste the script for your web tier. Once your done select Create Launch Template.

#!/bin/bash
yum update -y
yum install httpd -y
systemctl start httpd
systemctl enable httpd
echo '<!DOCTYPE html>' > /var/www/html/index.html
echo '<html lang="en">' >> /var/www/html/index.html
echo '<body style="background-color:black;">' >> /var/www/html/index.html
echo '  <h1 style="color:Gold;">Week 9 project -Web tier of the 3 tier application is a success!</h1>' >> /var/www/html/index.html
echo '</body>' >> /var/www/html/index.html
echo '</html>' >> /var/www/html/index.html

Our launch template has been successfully created

Auto Scaling Groups

To create an Auto Scaling Group, navigate to the Auto Scaling Group page, Click on the Create Auto Scaling Group button. Provide a name and choose your Tier-3 launch template, then click next.

Select your 3-tier VPC and web-tier public subnets then click next. We won’t add a load balancer so click next again.

Select the group size of your choosing I’m going with a desired capacity of 2 and a max of 4.

Once you review your Auto scaling group click create and navigate to EC2 to find your running instances.

Copy and paste the Public IPv4 address into a web browser and your script should be up and running

Success

Application tier

Now we will create a launch template for the Application-tier, follow the above instructions. The only difference You will add Port 3306 for MYSQL/Aurora and for Port 22 you will add your web-tier Security Group under source. Also there isn’t a need to add a script to the user data field.

We have created our Application Launch template now it’s time to create an Application Auto Scaling Group

To create an Auto Scaling Group, navigate to the Auto Scaling Group page, Click on the Create Auto Scaling Group button. Provide a name and choose your Application template, then click next.

Select your 3-tier VPC and app-tier private subnets then click next. We won’t add a load balancer so click next again.

Select the group size of your choosing I’m going with a desired capacity of 2 and a max of 4.

Review all of your information again and create auto-scaling group

As you can see I have instances running for both my web and application tiers.

Database tier

Now that the subnets are created, let’s move over to create the database.

in the search type RDS →create database

We are going with Standard create and MySQL as the Engine type

For Templates we want to stay within the free tier

For settings

Select (DB cluster identifier) : PrivateDB-Instance

Credentials (Master username) : admin

Master password: **************

change the Burstable classes from db.t3.micro to db.t2.micro

For storage make sure to unclick enable storage autoscaling

For connectivity select your 3-tier VPC and select no for public access

For your VPC security group provide a name and ensure that in the Database port you select 3306 which is the port number for MySql. Review all your information and create database

Our Database is up and running

Update connectivity between the Database and the Application tiers

Navigate to your Application-SG

• Under Connectivity and security, click on the hyperlink under VPC Security groups

• Under Inbound rules, Click Edit Inbound rules
• Click Add rule
• Type 3306 in the port range (MySQL protocol)
• For the source, select your Application tier security group
• Delete the default rule that was listed.

We are now done creating our Database Tier. Let’s move on to our final step of this project — The Verification Process.

Success!

We transmitted six packets and received six packets from both private ip addresses, so yes, we can ping the application tier from the web tier.

Congratulations, we have officially completed all tasks in the project and successfully built your very own three-tier architecture. I would like to Thank everyone for taking the time out of your day to read this article. Don’t forget to go back and delete all resources used in this lab so you don’t incur any charges.