Open in app

Sign in

Write

Sign in

Create 3-Tier Architecture on AWS

Nuwan Samarasiri
10 min readJan 16, 2023

--

The main objective of this article is to design and create a highly available 3 tier architecture for a web application.

What is 3-Tier Architecture?

Three-tier architecture is an application architecture that separates application into 3 logical and physical computing tiers. These are the Presentation tier/Web tier, Application tier and data tier. Each layer has its own infrastructure and can be developed parallel. This allows to update and scale each tier as needed without impacting the other tiers.

Presentation tier/Web Tier

Presentation tier of the web application which is visible to the user. In this scenario, we use the Amazon EC2 instance to host the web application and use the security group to manage ingress and egress traffic to the instances. Application Load Balancer is utilized to distribute the incoming traffic across EC2 instances in two availability zones.

Application Tier

The application tier is where you will write code that develop your web application. Here we are planning to provision the EC2 instances using Auto scaling group and use Application Load balancer to distribute the traffic from Web tier.

Data Tier

Is the backend tier of the web application. It runs on database management software. In this instance we use MySQL RDS. This is provisioned on a dedicated subnet across the 2 availability zones.

VPC Structure

The VPC will follow a 3-tiered network structure This will follow 6 subnets across 2 availability zones. Within the web application stack deployment in the VPC, security group and Application load balancers will restrict network flows between the specific EC 2 instances and AWS resources.

This VPC structure has the following subnets and the following tables shows the traffic flow between subnets.

VPC IP Address Allocation

Security Groups

We are using 3 security groups controlling inbound and outbound traffic controls which we are going to apply to EC2 instances.

Security Group for the Public Subnet

Security Group for the private Subnet

Security Group for the RDS Subnet

Create the VPC

  1. Access the AWS VPC management console and click on “Create VPC”

Create the Internet Gateway

  1. Under VPC à Internet Gateway click on “Create internet gateway”

Then attach the internet gateway to the VPC.

Create subnets for all 3 tiers.

Create Route Table for Public Subnet and Private Subnet

1) Go to the VPC management console à Under Virtual Private Cloud à Route Table

2) Click on Create Route Table

Route Table for the web tier

Other subnets for app-tier and data-tier need to be created as above.

Create and configure Web Tier

  1. Create a Security Group to control traffic to the resources in public subnets.

2. Create a launch template.

· Enter the name for the template : 3tier-web-ec2-template

· Select the AMI — Amazon Linux and select the instance type — t2.micro

· Set a Key Pair and select the existing security group.

· Enter the content of the bash script under user data.

3. Create Application Load Balancer — Frontend Load Balancer

· Click on Load Balancer and then click on Create under Application Load balancer.

· Enter the name: 3tier-prd-web-alb and select the scheme as Internet facing.

· Select the existing VPC.

· Choose the two availability zones that Load balancer routes traffic to targets.

· Select the security groups created for web tier — 3tier-prod-web-sg

· Create a new Target Group and provide a name — 3tier-alb-tg1 and select the two EC2 instances in web tier and click on “Create Target Group”

Once created, the properties of the ALB shown as below

4. Create Auto Scaling Group

· Provide a name for the Auto Scaling Group — 3tier-prd-webfrontend-asg and select the launch template created in earlier step — 3tier-web-ec2-template

· Select the VPC and 2 availability zones with subnets.

· Under “Configure advanced options” à Attach to an existing load balancer target group

  • Select the following numbers for the Group size and then “Create Auto scaling group”

Verify the web page hosted in the EC2 instances in web-tier can be accessible from the internet.

· Use the DNS name assigned to the Web-tier ALB

· Access the DNS name of the ALB and see if you can access the web page hosted in EC2

Create and Configure Application-Tier

  1. Create a security group — Provide a name 3tier-prod-app-sg

2. Create a NAT Gateway

· Provide a name for the NAT Gateway : 3tier-prd-ngw

· Select the subnet — subnet-us-east-1–1a-public-prod-web-app-stack

· Allocate an Elastic IP à Click on “Allocate Elastic IP”

· Click on “Create NAT Gateway”

Create a Route Table: App-Subnet — 3tier-prod-us-east-1-app-private

Add a route to traverse traffic from App-tier to Nat Gateway

3. Create a Launch Template

· Provide a name for the template: 3tier-app-ec2-template.

· Select “Amazon Linux” as AMI and t2. micro as the instance type.

· Select the existing security group — 3tier-prod-app-sg

· Click on Create Launch Template

4. Create auto scaling group.

· Name of the Auto scaling group — “3tier-prd-app-asg”

· Select the Launch template created — “3tier-app-ec2-template”

· Under “Choose instance launch options”, select the VPC and relevant availability zones and subnets

· Under Load balancing à “Choose from your load balancer target groups” select the target group created before.

· Specify the size of the Auto scaling group as below.

· Click on “Create Auto Scaling group”

5. Create an ALB — Application Tier

· Provide the name for the ALB — 3tier-prd-app-alb

· Select the scheme as “Internal” as this load balancer routes requests come from clients to target using private IP addresses.

· Select the existing VPC

· Select the Availability zones — us-east-1a and use-east-1b

· Select the security group — 3-tier-prd-app-sg

· Create a Target Group — Provide the name of the target group and select the VPC and Click Next

· Under “Register targets” select the ec2 instances running

Verify the connectivity to EC2 instance in application tier from EC2 instance in the web tier.

· SSH into an EC2 instance in Web-Tier and attempt to ping to an EC2 instance in App-Tier.

As shown above you can see I was able to ping to one of the host in App-tier from an EC2 instance in Web-tier.

Create and Configure the Database Tier

  1. Create a security group for the DB Tier.

Here are the properties of the security group after creating it.

2. Create a Subnet Group

· Navigate to the Amazon RDS management console and select the Subnet groups.

· Provide the name for the Subnet group, choose the VPC and select the AZs and relevant subnets.

· As the final step, click on create.

3. Create an RDS MySQL Database

· Navigate to RDS Management Console

· Under Create database section, click on “Create Database”

· Choose the database creation method and select “MySQL” as the Engine option.

· Select the RDS Free Tier

· Under Settings, assign the Master password for the database.

· Apply the storage type and allocate storage threshold for the database.

· Select the VPC and Subnet group created in earlier steps.

· Select the Security group created in earlier step. — 3tier-prod-db-sg

· Click on Create database.

Note : This will take some time to create the database.

We are unable to SSH to the EC2 instance in private subnets over the internet.

I have decided to use AWS System Manager (SSM) to reach the EC2 instances in the private subnets from internet. You can then use the AWS CLI to connect to fleets of EC2 instances without exposing another host ( Bastian Host) to the internet.

· Create a new IAM role that an EC2 instance can assume with the AmazonSSMManagedInstanceCore AWS managed policy attached. This will allow EC2 instance to use SSM’s services.

· Assign the IAM role to the EC2 instances in Application-tier.

Adding the EC2 instances to SSM inventory

  • Navigate to AWS Systems Manager console. Click on Inventory under Node Management. And then Click on “Setup Inventory”
  • Navigate to Targets and select the “Manually selecting instances” and select the EC2 instance you would like to onboard to SSM via installing the SSM agent.
  • Click on Setup Inventory
  • Once you click on” Setup inventory”, this will install SSM agent onto the instance and begin reporting usage back to AWS. When this process complete, the managed instance should appear under the managed instances tab on the Fleet Manager page.

Establishing SSM session via the AWS CLI

First you need to install session manager plugin that installs libraries that the AWS CLI uses to start and end sessions using SSM.

Install the Session Manager plugin:

1) Open a terminal on your local machine.

2) Install the session manager plugin as per the AWS documentation

Once the session manager plugin installed, run the following command

aws ssm start session –target EC2 instance ID

Connecting to the instance using SSH

Run the below command with the Name of the key file, Remote user name and instance ID

ssh -i <KeyFile> -o ProxyCommand="sh -c \"aws ssm start-session --target %h --document-name AWS-StartSSHSession\"" RemoteUsername@InstanceID

--

--

Nuwan Samarasiri

Written by Nuwan Samarasiri

43 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams