IMPLEMENTATION OF A 3 TIER ARCHITECTURE IN AWS CLOUD.
Objectives: To implement a highly available, scalable, secure and resilient 3 Tier Architecture in AWS Cloud using the management console and ensure there is a connectivity between every layers of the 3 Tier that is the Web Tier , Application Tier and Data Tier.
Steps Overview:
- Create a VPC with its components ie IGW, Private and Public Subnets, Route Tables and NAT Gateway.
- Configure the Web Tier in two public subnets and different AZ with an ASG.
- Ensure that that the Web Server can be accessed publicly from the internet.
- Configure the APP Tier in two private subnets with ASG on different AZ.
- Ensure there is private Connectivity from within the VPC.
- Configure the Data Tier in the private Subnets.
- Ensure private connectivity between the VPC Components and not from the internet.
Below is the design that we are going to implement. Let’s do it!!!!
Highly available: Use of multiple Availability zones and ALB that evenly distributes traffic to multiple targets.
Scalable: Use of an ASG to automatically launch new servers incase of increased workloads.
Resilient: Use of multiple availability zones and ASG. Incase one component fails ASG automatically launches a new component. For AZs, incase one fails the other AZ is available.
Secure: Use of private subnets that are not accessible from the internet. Also, use of WAF that monitors traffic from the internet to our Web server.
- Create VPC.
Inside the AWS Management Console click VPC. Head over to Your VPC and click create VPC. Choose VPC only so that we can create create other resources one by one. Give it a name and choose an appropriate CIDR. Leave other field as default including the Tenancy then click create VPC.
a) Create Public Subnets and Private Subnets
2 public Subnets; For highly available Web Server.
4 private Subnets; For high availability of the Application Tier and Database Tier.
Next to Your VPCs click Subnets then create subnets. Select the VPC we just created. Create the first Public subnet by giving it a name, appropriate CIDR block and select one AZ then click add subnet. Do the same for the other public Subnet but with different CIDR range and on different AZ.
For the four private subnets, Chose different CIDR for each and also different AZ. Click Create Subnets to deploy our 6 subnets on af-south-1a and af-south-1b AZs.
b) Create Internet Gateway.
Here we will create IGW and attach to our VPC for our webTier in the public subnets to be accessed over the internet.
Click IGW, give it a name and create IGW. Click Attach to a VPC and chose our VPC that we created. Now our public subnets can be accessed over the internet through the IGW.
c) Create Public and Private Route Tables.
Next to Subnets, click route tables. Create route tables and we will start with the public route table. Give it a name and chose our VPC then create. Add routes to the tables by clicking edit routes. Chose destination as 0.0.0.0/0 and Target as our IGW. This will allow our public subnet to route traffic to the internet and vice versa. There is a default route with target as local to allow resources within the VPC to communicate.
d) public route table association.
Now, we need to associate this public route table with our Public subnets which will be hosting the Web Tier. Click on the Public-route and choose Subnet associations. Click Edit subnet association and select the two public subnets.
e) Create NAT Gateway.
Still on VPC dashboard, click NAT Gateways and chose create. Give it a name and chose one public subnets ( NAT Gateway is created in a Public Subnet). Associate the NAT gateway with an elastic ip address then click create
Components of our VPC
2.Creating a Web Server Tier.
We will create our first tier which is the front end to our end user. Head over to EC2 > Launch templates > Create Launch template. Create a template for AutoScalling group to launch instances automatically for high availability. Give a name to the Launch Template, Select an AMI and instance type. I prefer Amazon Linux 2023 and t3.nano. Specify your key pair. Under Network Settings create a security group to allow HTTP and SSH access to our instances in the public subnets and we will chose the VPC that we created
Under Advanced Details , scroll down to the User Data textbox and add a start up script. The script will install an Apache webserver on our instances and provision a webpage.
#!/bin/bash
sudo su
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<html><body><h1>Welcome to Roy's first 3 Tier Architecture</h1></body></html>" > /var/www/html/index.htmlStill on EC2, head over to the AutoScalling group and create one, Give it a name and select the Launch Template created earlier. Click Next and chose our VPC and the two Public Subnets.
Click Next, leave this page default and click Next again. On the Configure group size and scaling policies ;We add 2 desired instances, 1 minimum and 3 maximum for availability.
Then hit Next through to Add Tags and we add a key as Name and Value as Web-Tier then click Next to review and create Auto Scaling group. We go over to our instances and we should have 2 running instances in 2 Availability zones.
To confirm that the instance is running with a webpage, take the IPv4 address and paste it the browser.
This shows our Presentation Tier is up and running and can be accessed from the internet.
Application Load Balancer.
Lets now create an ALB to evenly distribute traffic to the multiple instances incase of an increase in workload and the ASG has launched another Web Server in different AZ.
Still on EC2, head over to Load Balancer and Click create load balancer. Chose ALB, Leave other options as default. Select our VPC, Our two AZs and in the AZ make sure you chose the public subnets that has our Web Tier. On security group, chose create SG and add appropriate rules for the SG the associate it with ALB.
On Listener chose protocol as HTTP and Port 80 and select create target group.
On Target Groups; Select Instances as target types, give it a name chose HTTP protocol and port 80. This allows ALB Listeners to route traffic to the targets. leave other options as default and click Next
Now we need to register our targets. Here we are going to chose our instances that are currently running
Click Create Target and head over to the listeners to add the Target Group as the destination.
Click Create Load balancer and it should be available to distribute traffic evenly. To confirm, grab the DNS name of the ALB an paste it on the browser. Our web page should be displayed.
Configure WAF
Web Application Firewall is a managed service offered by AWS AWS WAF helps in protecting web applications from web-based threats. It gives the web applications an additional layer of security by enabling you to specify rules and conditions to filter and manage incoming web traffic.
For our example, we are going to give our web acl a name and description, chose one aws managed rules groups to avoid additional costs but you can still define you own custom rule groups. We will then associate it with our ALB in the resource section. Make sure the region with the ALB is selected.
This concludes our Web Tier
Create Application Tier.
In Application tier, we will launch EC2 instances to run our App Tier using an Auto Scaling group, into 2 private subnets that we created and named AppTier. We will follow the same steps as before to create the Launch Template but on security groups, since these are private subnets and we do not want our back end to be accessed publicly from the internet, we will only allow; Our web tier security group to SSH to the AppTier, allow ICMP traffic for ping purposes to ensure our web server can communicate with the AppTier and also allow MySQL access for our Database tier. But for MySQL access we will configure later after we create the Database Tier.
Create the launch template. In ASG choose our new template we just created. Click Next . Select the correct VPC and on this choose 2 private subnets for App Server to launch our instances in to
Using the same options and steps as the web tier ASG, we will create our auto scaling group.
Now we have 2 Auto Scaling groups. For our Web tier named ASG-3tierApplication and App tier ASG-Apptier.
Two new instances are now running our App Tier.
Associate Private Route Table
Now we need to associate our private route table within the App Tier private subnets to allow communication between resources within the VPC. This route is usually configured by default in private route tables. Head over to VPC and select Route Tables then chose the Private-Route that we created. Click Actions and Edit subnet associations. Chose our two App Tier subnets and save.
On edit routes, we can see our default route that allows traffic to be routed to the components within the VPC.
We will add another route to allow our private subnets receive updates and patches from the internet via a NAT Gateway which is secure as it does not expose the private IP address of our servers.
To confirm that the web Tier can communicate with the App Tier, we will try to ping the App Tier. We will use the public IPv4 of one of our public instances and SSH into that instance. Then when inside the public instance, using the Command Line we will ping the private IP address of the App Tier.
The ping was successful showing that the two servers can communicate.
Now let’s see if the Web Tier can access the App Tier using SSH. For this you can use SSH forwarding agent but OpenSSH has to be installed in your computer. For our case since it’s just an example, we will SSH to the public server using PuTTY then copy the contents of the key of our private sever into the public server then use the simple SSH command to connect.
NOTE: This is not a secure way to connect to your private server. Incase your public server is compromised, the contents of your private server’s key can be retrieved.
Connect to public Server.
To connect to the public server, we will use the public ipv4 address and the key pair we created. Now when inside the public server, copy the contents of the private server’s key into the public server using vi editor.
Exit the editor, change permissions of the file using chmod 400 command. To connect to the private server, use the command below.
ssh -i /path/to/private_key.pem username@server_ip_address
We can successfully connect to our private subnet from the public subnet. Let’s now try to see if our private server can receive updates and patches from the internet via the NAT Gateway.
Use sudo yum update command to obtain updates for our private server.
Our command worked and we received updates for our private server.
This concludes the Configuration of the Application Tier. Congratulations!!
Create the Database Tier
For our 3rd and final tier we will add a database to the private subnets. In the AWS console navigate to Amazon RDS. AWS offers wide range of databases but for this lab we will use MySQL.
Create Subnet Group
From the dashboard click on Subnet groups > Create DB subnet group. Here we will create a new subnet group. Name it and select your VPC.
Under Add subnets, select the two availability zones that is af-sout-1a and af-south-1b and Make sure you chose the correct subnet ID for the Data Tier private subnets that we have not used yet for our Data Tier. If you don’t remember the subnet ID, go back to the VPC section and click on subnets to confirm.
After selecting the appropriate AZs and Subnet IDs, click create and our subnet group is now ready.
Create MySQL RDS
After creating the subnet Group, click on Database and select create database. Chose MySQL Engine option for our database.
Leave other options as default and select Free Tier for our template. For engine version, we can leave it as default MySQL 8.0.32
Under the Settings section, give the DB instance a name and create a master username and password for the database and confirm the password.
Under Instance configuration, the burstable classes option is the only one available for the free tier, hence it is already selected.
Leave other options as default. Under connectivity, on compute resource you can choose if you want to set up a connection to a compute resource but we will chose Don’t connect to an EC2 compute resource, select our VPC . Next select the DB subnet group that we created. We also don’t want the public access our DB so we will select No for Public access. Under security group, we will create a new security group. Give the security group a name and select a preferred availability zone. Creating an RDS proxy will incur additional costs so we will leave it.
You can enable monitoring for your Database but we will leave this part for this example. Scroll down and Click Create Database! After a moment your database will be created.
Click on it and scroll to Connectivity and security. We need to edit our security group to allow inbound access from the application tier security group. To do this, click on your database security group
Click on edit inbound rules and Change the source to our application tier security group
Associate Database with Private Route Tables.
Now we need to associate our Database with the private Route table. Head over to VPC, select Route tables and click Private-Route. Click Actions and chose edit subnet associations. Chose our two subnets and click save association.
This concludes the Data Tier!! Congratulations. We managed to create a 3 tier Application.
Testing Connectivity to the Database Tier
let’s now test if our App Tier can communicate with our Database Tier. We are going to install MySQL on our tier 2 instance to access our database. We have to be logged into our App Tier in Tier 2 then use the command below.
sudo yum install mysql -yThis will install MariDB package which is used to read MySQL. Once installed, we will use the following command to log into our RDS MySQL database.
mysql -h <rds-database-endpoint> -P 3306 -u <username> -pBut, we will need our RDS database endpoint, username and password you created when you created the RDS database. RDS database endpoint is under Connectivity & Security. These details can be obtained from the Database .
Now let’s connect to our database from the App Tier CLI. The above command should allow you log into the database and this confirms the connectivity to our Data Tier
We made it!!! All our tiers can communicate thus concluding the Implementation of a highly available, secure, scalable and resilient 3 Tier Web Application. CONGRATULATIONS!!
Do not forget to delete the resources created from the start of tis challenge to avoid unnecessary costs.