Three Tier Architecture: Diagram and How to Create in AWS
A Three Tier Architecture is a software design that encompasses the user interface, processing, and data storage and access. The architectural design is broken up into three tiers also known as modules. Each tier is independent so that it can be modified, replaced, or scaled up or down without affecting the other tiers.
Some additional benefits of a three tier architecture are:
- Each tier can be developed simultaneously which allows for faster development of the application and can be pushed to the public faster.
- A three-tier improves data integrity. It offers higher level of security because the client does not have access to the database directly.
The three tiers in a Three Tier Architecture are a Web Tier, Application Tier, and a Database Tier.
Web Tier: Presentation Tier
The Web Tier is a Graphical User Interface that communicates with the Application and Database Tiers. This is where a user can access an application through a web browser.
In this tier, we will be creating access to the internet. We will do this by creating the following components: a VPC with an Internet Gateway attached to it, Public Subnets with a Route Table that directs internet-bound traffic to the gateway via a Route. Within the public subnets are the EC2 Instances with the public IPv4 addresses. See Diagram:
The EC2 Instances we will provide the public IPv4 addresses, however, we also must ensure that We will add an Auto Scaling Group to create high availability. We also must ensure all our rules will allow
- Ensure that your security group rules allow the relevant traffic to flow to and from your instance.
Application Tier: Logic Tier
This is also known as the logic tier. This is where all the interactions between the Web Tier and Database Tier are processed. It will take and process data from the Database Tier and return that content to the Web Tier. The so called “logic” comes in the format as a Firewall, to ensure that the content being inputed is in the correct format. The components of this tier are back-end so there is no public access: two private subnets, with two EC2 instances, a Route Table to communicate with the Web and Database Tiers, and an Application Load Balancer to route the connections.
Database Tier:
This is also known as the storage tier. Here is where a database is housed and a program to manage permissions for the database, such as read and write permissions. The components of this tier are also back-end and consists of a Mysql database, a security group, two private subnets, and a Route Table.
Create Three Tier Architecture in AWS Console
(This will all be done in the AWS Console. You must have an AWS account or access to AWS Sandbox. If using your own account, please use your user account and terminate your resources when completed with this project so not to incur charges.)
Start with creating the VPC:
Navigate to VPC in the AWS console. AWS has a new “VPC wizard”. Select “VPC only” Create a name tag to auto-generate name tags to the resources in the VPC. We will select “No Ipv6 CIDR block” because we will not have a private subnet in this VPC.
Create Subnets
Next, we will create 6 Subnets: 2 public subnets for the WebTier, 2 private subnets for the AppTier, and 2 private subnets for the Database Tier. These subnets will be in 2 Availability Zones. Configure the subnets so that each AZ has 1 public subnet and 2 private subnets.
Navigate to Subnets within the VPC pane👉Create Subnet👉Select the VPC we just made👉Create the first subnet by naming it so that you can recognize it as public and which tier it is for. Select the Availability Zone and assign it an IPv4 CIDR Block. Continue to do this for all the subnets and picking the appropriate availability zone, and assigning each an IPv4 CIDR Block.
We will also create a Security Group by navigating to “Security Group” and select “Create Security Group”:
Create Route Table
Navigate to Route Tables under VPC👉Create Route Table
Associate Route Table to WebTier Subnets
Navigate to Route Table👉Select the Route Table we created for the Web Tier👉Select Actions👉Associate Subnet👉Select the 2 public subnets we created for the Web Tier
Create Internet Gateway
Navigate to Internet Gateways👉Create Internet Gateway👉Name it👉Create Internet Gateway👉Actions👉Attach To VPC👉Choose VPC we created
Associate Route Table with Internet Gateway
Navigate back to Route Tables👉Select Web Tier Route Table👉Actions👉Edit Routes
Web Tier EC2 Instances:
Navigate to EC2 👉 Launch Templates👉Create Launch Template
Create an Auto Scaling Group to Launch the template we just created
Navigate to EC2👉Auto Scaling Groups👉Create Auto Scaling Group:
After Creating Auto Scaling Group, navigate to Security Groups and edit your inbound rules for the security group you just created for the Web Tier. Make sure you have Type: HTTP, Port range: 80, Source: Anywhere IPv4.
Check Instances by navigating to EC2 in the console and you should have 2 Instances running:
Copy the IP addresses and paste into a new browser to see if the boot strap worked to run Apache:
Application Tier:
Since the Application Tier’s purpose is to process data between the Web Tier and Database Tier, we will now create a route of communication to do that. We want the Application Tier to receive information from the Web Tier. To create the Application Tier, we will begin by creating another Route Table to associate to 2 private subnets, since this tier is in the backend and no public access is needed to reach this layer. We will create another Auto Scaling Group to add 2 instances with a Security Group.
- Create AppTier Route Table: navigate to Route Tables👉Create Route Tables👉Name it👉Select VPC we created earlier👉Select Create Route Table
- Now associate this Route Table with the private subnets we created earlier for the App Tier:
3. Create a Security Group: Navigate to Security Groups👉Create Security Group:
4. Create Auto Scaling Group for the Application Tier. Create Launch Template just like we did for the Web Tier and use the AppTier Security Group we created earlier.
Database Tier
We will set up a relational data base and now needs to accept traffic from the Application Tier.
- Navigate to RDS👉Create Database: Keep everything at default except the following:
2. Now that we set up a MySQL database, we will create a Route Table for this tier and associate the private subnets we created for this tier. To do this follow the same steps we did when we created the Route Table for the Application Tier.
Create a NAT Gateway to Route all Traffic
- Navigate to VPC👉NAT Gateway👉Create NAT Gateway:
2. Next we will direct the private subnets to the NAT Gateway: navigate back to VPC👉Route Tables👉Select the route tables created for both the App Tier and the Database Tier👉Select 0.0.0.0/0 for Destination and NAT Gateway that we just created for Type
Create Bastion Host
A Bastion Host is a security tool to create a dedicated server to allow internal access by an authorized user. It is one point of entry only through an SSH proxy server. Since it should be accessed externally, the Bastion Host is located in our Web Tier.
Navigate to EC2👉Instance👉Launch Instance:
Verify Communication from WebTier to Application Tier
Navigate EC2👉Instances👉Choose a WebTier Instance👉Select Actions👉Connect👉Connect to Instance
Once you are in the Instance terminal input this command:
ping <private IP address of App Tier>
This was a long but fun project. Some take aways if you run into a connection problem is to check your security groups and check inbound rules. Also make sure you have the right associations with your route tables!
