Amazon VPC
π AWS VPC is like a shielded fortress within the AWS network, providing you with a virtually isolated private network. It's as if you've brought your secure data center to the cloud! π°π»π
While creating a VPC following options need to be configured.
Availability Zones ποΈ:
- These are distinct data centers within a region, providing redundancy and fault tolerance. Think of them as the building blocks of high availability.
CIDR Blocks π:
- Classless Inter-Domain Routing blocks are used to define the IP address range for your VPC, much like setting the size of your territory on a map.
DNS Options π:
- Domain Name System (DNS) options allow you to configure how your VPC resolves domain names. It's like choosing your VPC's "language" for talking to the internet.
Internet Gateway π:
- This is your VPC's portal to the internet. It helps traffic flow between your VPC and the worldwide web, acting as the gateway to the online world.
Name π:
- The name of your VPC is like a label on a folder, making it easier to identify and manage within your AWS account.
NAT Gateways β‘:
- Network Address Translation (NAT) gateways are like interpreters that help your private resources communicate with the internet, enabling them to "speak the same language."
Route Tables πΊοΈ:
- Think of route tables as maps that dictate where network traffic should go. They define the pathways within your VPC.
Subnets ποΈ:
- Subnets are like neighborhoods within your VPC. They divide your VPC's IP address range into smaller chunks, each with its unique characteristics.
Tenancy π‘:
- Tenancy options determine whether your instances run on shared hardware (like apartments in a building) or dedicated hardware (like your own house) within the AWS data center.
Let's create and deploy the VPC and all the networking components in a real time hands-on way.
The solution is comprised of the following components: Β·
Β· A VPC across two Availability Zones
Β· Two public web subnets, two private app subnets, and two private DB subnets
Β· An Internet Gateway attached to the VPC
Β· A public route table routing internet traffic to the Internet Gateway
Β· Two private route tables routing traffic internally within the VPC
Β· A frontend web server application Elastic Load Balancing that routes traffic to the Apache Web Servers
An Auto Scaling group that launches additional Apache Web Servers based on defined scaling policies. Each instance of the web server is based on a launch template, which defines the same configuration for each new web server.
Β· A hosted zone in Amazon Route 53 with a domain name that routes to the frontend web server Elastic Load Balancing
Β· An Auto Scaling group that launches additional Apache Web Application Servers based on defined scaling policies. Each instance of the Apache Web Application server is based on a launch template, which defines the same configuration and software components for each new application server
Β· A MySQL Amazon Relational Database Service (Amazon RDS) Multi-AZ deployment for MySQL RDS to store the contact management and role access tables
Here's the list of components:
βοΈ AWS Cloud
π VPC
ποΈ Subnets
π Internet Gateway
βοΈ NAT Gateway
πΊοΈ Route Tables
π Security Groups
π» EC2 Machine
π― Application Load Balancer
β»οΈ Auto Scaling
π Launch Template
π² RDS Database - MySQL
πͺ Mobaxterm SSH Client
Here are the project implementation phases:
π Phase 1: Deploy networking infrastructure
π¦ Phase 2: Deploy Launch Template
π― Phase 3: Create elastic load balancer, auto scaling group, target group
π Phase 4: Verify that the web application is accessible
π Phase 5: Test horizontal scaling and high availability of the web application
π² Phase 6: Deploy RDS DB managed MYSQL instance
This sequence provides a clear and visually engaging overview of your project's implementation phases.
AWS Solution Architecture:
Phase 1: Deploy networking components π
Create VPC ποΈ
Name: prafect-vpc π
CIDR: 10.0.0.0/16 π
Create web Subnets ποΈ
Name: web-public01 π
Availability zone: us-east-2a ποΈ
CIDR: 10.0.1.0/24 π
Name: web-public02 π
Availability zone: us-east-2b ποΈ
CIDR: 10.0.2.0/24 π
Create app Subnets ποΈ
Name: app-private01 π
Availability zone: us-east-2a ποΈ
CIDR: 10.0.3.0/24 π
Name: app-private02 π
Availability zone: us-east-2b ποΈ
CIDR: 10.0.4.0/24 π
Create DB Subnets ποΈ
Name: db-private01 π
Availability zone: us-east-2a ποΈ
CIDR: 10.0.5.0/24 π
Name: db-private02 π
Availability zone: us-east-2b ποΈ
CIDR: 10.0.6.0/24 π
Create Internet Gateway π
Name: web-igw π
Attach to VPC: prafect-vpc π
Create NAT Gateway β‘
Name: prafect-NAT π
Subnet: web-public01 ποΈ
Connectivity: Public π
Elastic IP: Allocate Elastic IP πΆ
Create Route table β web-RT πΊοΈ
Name: Web-RT π
Select the VPC: prafect-vpc π
Subnet Associations ποΈ
Select β web-public01 ποΈ
Select β web-public02 ποΈ
Routes β Add internet gateway as a route from 0.0.0.0/0 π£οΈ
Destination: 0.0.0.0/0 πΊοΈ
Target: Select internet gateway: web-igw π
Create Route table β App-RT πΊοΈ
Name: App-RT π
Select the VPC: prafect-vpc π
Subnet Associations ποΈ
Select β app-private01 ποΈ
Select β app-private02 ποΈ
Routes β Add NAT 0.0.0.0/0 π£οΈ
Destination: 0.0.0.0/0 πΊοΈ
Target: Select NAT gateway β‘
Create Security Groups π‘οΈ
Create one security group for web traffic π
Name: web-SG π
VPC: prafect-vpc π
Inbound rule 1 π
Type: HTTP π
Protocol: TCP π
Port Range: 80 πΆ
Source: 0.0.0.0/0 π
Create the second security group for App traffic π
Name: app-SG π
VPC: prafect-vpc π
Inbound rule 1 π
Type: HTTP π
Protocol: TCP π
Port Range: 80 πΆ
Source: anywhere : web-SG π
Inbound rule 2 π
Type: MYSQL/Aurora π
Protocol: TCP π
Port Range: 3306 πΆ
Source: anywhere : db-SG π
Inbound rule 3 π
Type: SSH (if need to access the app instance by admin) π
Protocol: TCP π
Port Range: 22 πΆ
Source: anywhere : MYIP π
Create the third security group for db traffic π
Name: db-SG π
VPC: prafect-vpc π
Inbound rule 1 π
Type: ALL TCP π
Protocol: TCP π
Port Range: 0-65635 πΆ
Source: anywhere : app-SG π
Phase 2: Deploy Launch Template π
Create Launch Template: instances π¦
Target Group name: app-TG π―
Protocol: TCP π
Port: 80 πΆ
VPC: prafect-vpc π
Health checks π©Ί
- Health check protocol: HTTP π
Advanced health check π©Ί
Port: Traffic port πΆ
Healthy threshold: 3 π
Unhealthy threshold: 3 π
Timeout: 4 β±οΈ
Interval: 10 seconds β³
Phase 3: Deploy Target Group π―
Choose target group: instances π¦
Target Group name: app-TG π―
Protocol: TCP π
Port: 80 πΆ
VPC: prafect-vpc π
Health checks π©Ί
- Health check protocol: HTTP π
Advanced health check π©Ί
Port: Traffic port πΆ
Healthy threshold: 3 π
Unhealthy threshold: 3 π
Timeout: 4 β±οΈ
Interval: 10 seconds
π Phase 4: Deploy Application Load Balancer
Create Launch Template
Create Application Load Balancer
Name: web-ALB
Scheme: internet-facing
IP address: IPv4
Network Mapping:
Select VPC: web-vpc
Mappings: Select: us-east-1a, us-east-1b
Security Groups: Select: web-ALB-SG
Listener:
HTTP:80
Default action: Target Group
π Phase 5: Deploy Auto Scaling Group
Name: web-ASG
Launch Template: web-template
Network:
VPC: web-vpc
Availability Zones: us-east-1a, us-east-1b
Load Balancing: Attach to an existing load balancer
Choose Target Group: web-TG
Health Check: ELB: 300 seconds
Group Size:
Units
Desired Capacity: 2
Minimum Capacity: 2
Maximum Capacity: 4
Scaling Policies:
Name: Target Tracking Policy
Metric Type: Average CPU Utilization
Target Value: 50
Warm-up: 300 seconds
π Phase 6: Verify that web application is accessible
Go to Application Load Balancer (ALB)
Access the ALB DNS and access the web application
π Phase 7: Deploy RDS DB Managed MySQL Instance
Create DB Instance Group
Go to Subnet Groups
Create DB Subnet Group
Name: db-subnetgroup
VPC: prafect-vpc
Add Subnets:
Availability Zones: us-east-2a, us-east-2b
Subnets: db-private01, db-private02
Create
Create DB Instance β MySQL
Create Database
Standard Create
Engine Options: MySQL
Engine Version: 5.7.39
Template: Dev/Test
Availability: Single DB Instance
Settings:
DB Instance: mysql
Credentials:
Master Username: admin
Password: Passw0rd!
Connectivity:
VPC: prafect-vpc
DB Subnet Group: dbsubnet
Public Class: No
Existing Security Group: db-SG
Database Authentication: Password Authentication
π Prerequisites for the AWS Project:
AWS Free Tier π
Web Application Source Code π
Web Server Installation Script File π
SSH Client π
π Taking Action on the Implementation:
Phase 1: Deploy networking components π
Create VPC ποΈ
Name: prafect-vpc π
CIDR: 10.0.0.0/16 π
Create web Subnets ποΈ
Name: web-public01 π
Availability zone: us-east-2a ποΈ
CIDR: 10.0.1.0/24 π
Name: web-public02 π
Availability zone: us-east-2b ποΈ
CIDR: 10.0.2.0/24 π
3. Create app Subnets ποΈ
Name: app-private01 π
Availability zone: us-east-2a ποΈ
CIDR: 10.0.3.0/24 π
Name: app-private02 π
Availability zone: us-east-2b ποΈ
CIDR: 10.0.4.0/24 π
Create DB Subnets ποΈ
Name: db-private01 π
Availability zone: us-east-2a ποΈ
CIDR: 10.0.5.0/24 π
Name: db-private02 π
Availability zone: us-east-2b ποΈ
CIDR: 10.0.6.0/24 π
Create Internet Gateway π
Name: web-igw π
Attach to VPC: prafect-vpc π
Create Route table β App-RT πΊοΈ
Name: App-RT π
Select the VPC: prafect-vpc π
Subnet Associations ποΈ
Select β app-private01 ποΈ
Select β app-private02 ποΈ
Routes β Add NAT 0.0.0.0/0 π£οΈ
Destination: 0.0.0.0/0 πΊοΈ
Target: Select NAT gateway β‘
Add route to internet gateway
Destination: 0.0.0.0/0 Target: Internet gateway
Create Route table β App-RT πΊοΈ
Name: App-RT π
Select the VPC: prafect-vpc π
Subnet Associations ποΈ
Select β app-private01 ποΈ
Select β app-private02 ποΈ
Routes β Add NAT 0.0.0.0/0 π£οΈ
Destination: 0.0.0.0/0 πΊοΈ
Target: Select NAT gateway β‘
Add subnet association
Create Security Groups π‘οΈ
Create one security group for web traffic π
Name: web-SG π
VPC: prafect-vpc π
Inbound rule 1 π
Type: HTTP π
Protocol: TCP π
Port Range: 80 πΆ
Source: 0.0.0.0/0 π
Create the second security group for App traffic π
Name: app-SG π
VPC: prafect-vpc π
Inbound rule 1 π
Type: HTTP π
Protocol: TCP π
Port Range: 80 πΆ
Source: anywhere : web-SG π
Inbound rule 2 π
Type: MYSQL/Aurora π
Protocol: TCP π
Port Range: 3306 πΆ
Source: anywhere : db-SG π
Inbound rule 3 π
Type: SSH (if need to access the app instance by admin) π
Protocol: TCP π
Port Range: 22 πΆ
Source: anywhere : MYIP π
Create the third security group for db traffic π
Name: db-SG π
VPC: prafect-vpc π
Inbound rule 1 π
Type: ALL TCP π
Protocol: TCP π
Port Range: 0-65635 πΆ
Source: anywhere : app-SG π
Phase 2: Deploy Launch Template π
Create Launch Template: instances π¦
Target Group name: app-TG π―
Protocol: TCP π
Port: 80 πΆ
VPC: prafect-vpc π
Health checks π©Ί
- Health check protocol: HTTP π
Advanced health check π©Ί
Port: Traffic port πΆ
Healthy threshold: 3 π
Unhealthy threshold: 3 π
Timeout: 4 β±οΈ
Interval: 10 seconds
Phase 3: Deploy Target Group π―
Choose target group: instances π¦
Target Group name: app-TG π―
Protocol: TCP π
Port: 80 πΆ
VPC: prafect-vpc π
Health checks π©Ί
- Health check protocol: HTTP π
Advanced health check π©Ί
Port: Traffic port πΆ
Healthy threshold: 3 π
Unhealthy threshold: 3 π
Timeout: 4 β±οΈ
Interval: 10 seconds
π Phase 4: Deploy Application Load Balancer
Create Launch Template
Create Application Load Balancer
Name: web-ALB
Scheme: internet-facing
IP address: IPv4
Network Mapping:
Select VPC: web-vpc
Mappings: Select: us-east-1a, us-east-1b
Security Groups: Select: web-ALB-SG
Listener:
HTTP:80
Default action: Target Group
Loadbalancer created successfully
π Verify ALB URL Accessibility:
π Copy the ALB DNS:
π Open your preferred browser π.
π Paste the ALB DNS into the browser's address bar and hit Enter β.
Go to Target Group
π Phase 5: Deploy Auto Scaling Group
Name: web-ASG
Launch Template: web-template
Network:
VPC: web-vpc
Availability Zones: us-east-1a, us-east-1b
Load Balancing: Attach to an existing load balancer
Choose Target Group: web-TG
Health Check: ELB: 300 seconds
Group Size:
Units
Desired Capacity: 2
Minimum Capacity: 2
Maximum Capacity: 4
Scaling Policies:
Name: Target Tracking Policy
Metric Type: Average CPU Utilization
Target Value: 50
Warm-up: 300 seconds
Go to ALB and copy the ELB DNS
Verify ALB URL Accessibility:
π Copy the ALB DNS:
π Open your preferred browser π.
π Paste the ALB DNS into the browser's address bar and hit Enter β.
Create NAT Gateway
Add route to application private route table: APP-RT route table
Edit Route β Add NAT gateway Destination: 0.0.0.0/0 Target: NAT Gateway
π Phase 6: Verify that web application is accessible
Go to Application Load Balancer (ALB)
Access the ALB DNS and access the web application
Verify ALB URL Accessibility:
π Copy the ALB DNS:
π Open your preferred browser π.
π Paste the ALB DNS into the browser's address bar and hit Enter β.
π Important Note:
If your web application source code resides in the Private App Subnet, here's what you need for configuring SSH access and package downloads:
To access the server from SSH, make sure to enable Public IP when creating the Launch Template π. This allows secure access to your instance.
For downloading packages and installing the web server in the Private App Subnet, you'll need the following configurations:
π NAT Gateway: Launch a NAT Gateway into the Web-Public Subnet. This enables instances in the Private App Subnet to access external resources.
π App-RT (Route Table): Add a NAT Gateway route to the App-Route Table. This route allows instances in the Private App Subnet to use the NAT Gateway for internet-bound traffic.
π Phase 7: Deploy RDS DB Managed MySQL Instance
Create DB Instance Group
Go to Subnet Groups
Create DB Subnet Group
Name: db-subnetgroup
VPC: prafect-vpc
Add Subnets:
Availability Zones: us-east-2a, us-east-2b
Subnets: db-private01, db-private02
Create
Create DB Instance β MySQL
Create Database
Standard Create
Engine Options: MySQL
Engine Version: 5.7.39
Template: Dev/Test
Availability: Single DB Instance
Settings:
DB Instance: mysql
Credentials:
Master Username: admin
Password: Passw0rd!
Connectivity:
VPC: prafect-vpc
DB Subnet Group: dbsubnet
Public Class: No
Existing Security Group: db-SG
Database Authentication: Password Authentication
Db instance name: mysql User: admin Password: Passw0rd!
MYSQL db instance created
New DB connection parameters: Servername: mysql1.cagenoemjwd5.us-east-2.rds.amazonaws.com Username: admin Password: Passw0rd! Dbname: contacts Go to web source code file: db.php
Add rule Type: MYSQL/Aurora Protocol: TCP Port range: 3306 Source : custom: db_SG
Access rds db instance from one of web server 3.143.110.192 Install sudo apt-get install mysql-server mysql-client
Solution: Go to web-SG, Add MY IP as source for MYSQL/Aurora 3306
Create a New Database mysql> create database contacts; Verify that database βcontactsβ is created
π Create Tables Inside 'Contacts' Database π
πΌ Access the 'Contacts' database:
mysql> use contacts;
π οΈ Create the 'users' table with columns 'name,' 'email,' and 'subject':
mysql> create table users(name varchar(30), email varchar(30), subject varchar(30));
β Verify the creation of the 'users' table:
mysql> show tables;
Describe table and check if the fields are exist
mysql>Describe users;
Install Telnet utility & check DB Connection ο΅
Sudo apt-get install telnet
Test RDS DB connection from Web to DB ο΅ Telnet ο΅ telnet mysql2021.cntikk0jg8xf.ca-central-1.rds.amazonaws.com 3306
Let's insert data into database from webpage
π Verify Data from Backend Database π’οΈ
To ensure that data has been successfully added from the web application, follow these steps:
π’ Access your backend database.
π Query the database to retrieve and verify the added data.
Congratulations:
π‘οΈ Improvement Tasks for Enhanced Security:
πͺ Identity and Access Management (IAM): Strengthen user access controls and authentication.
π§― Firewalls (Web Application and Network): Enhance security layers and implement DDoS protection.
π Create & Manage Cryptographic Keys: Safeguard sensitive data with encryption.
π€ Manage Secrets, API Keys, Credentials: Securely handle and store sensitive information.
π‘οΈ Security Assessment for EC2 Instances: Regularly evaluate and fortify EC2 instance security.
π¨ Threat Detection: Implement systems to detect and respond to security threats.
π Manage Security Alerts: Monitor and respond to security incidents.
π‘οΈ Configure Security Controls for Individual AWS Services: Tailor security measures for each AWS service.
π Improvement Tasks for Efficient Deployment:
βοΈ Automate Provisioning: Streamline the deployment process for faster results.
π΅οΈ Observability of AWS Resources: Gain insights into resource performance and usage.
π Track User Actions & API Usage on AWS: Monitor user activities and API utilization.
π οΈ Evaluate Configuration of AWS Resources: Ensure resource settings align with best practices.
π‘ Centralize Operations:
π€ Automate Actions with Runbooks: Execute routine tasks efficiently.
π§° Manage & Patch Instances: Keep instances up-to-date and secure.
π Schedule & Govern Changes: Control and schedule updates and modifications.
By implementing these tasks, you can bolster security and streamline deployment, ultimately enhancing the performance and resilience of your AWS infrastructure. ππ οΈπ
#AWS #CloudEngineering #AmazonWebServices #CloudComputing #InfrastructureAsCode #Serverless #DevOps #AWSArchitecture #AWSBestPractices #SecurityInAWS #CostOptimization #AWSCertification #S3 #EC2 #Lambda #VPC #CloudFormation #IAM #CloudMigration #ElasticLoadBalancer