🌐AWS - AWS Networking & Content Delivery - VPC'S

🌐AWS - AWS Networking & Content Delivery - VPC'S

Β·

15 min read

Amazon VPC

🌐 AWS VPC is like a shielded fortress within the AWS network, providing you with a virtually isolated private network. It's as if you've brought your secure data center to the cloud! πŸ°πŸ’»πŸŒ

While creating a VPC following options need to be configured.

Availability Zones πŸ™οΈ:

    • These are distinct data centers within a region, providing redundancy and fault tolerance. Think of them as the building blocks of high availability.
  1. CIDR Blocks πŸ“Š:

    • Classless Inter-Domain Routing blocks are used to define the IP address range for your VPC, much like setting the size of your territory on a map.
  2. DNS Options 🌐:

    • Domain Name System (DNS) options allow you to configure how your VPC resolves domain names. It's like choosing your VPC's "language" for talking to the internet.
  3. Internet Gateway 🌐:

    • This is your VPC's portal to the internet. It helps traffic flow between your VPC and the worldwide web, acting as the gateway to the online world.
  4. Name πŸ“›:

    • The name of your VPC is like a label on a folder, making it easier to identify and manage within your AWS account.
  5. NAT Gateways ⚑:

    • Network Address Translation (NAT) gateways are like interpreters that help your private resources communicate with the internet, enabling them to "speak the same language."
  6. Route Tables πŸ—ΊοΈ:

    • Think of route tables as maps that dictate where network traffic should go. They define the pathways within your VPC.
  7. Subnets 🏘️:

    • Subnets are like neighborhoods within your VPC. They divide your VPC's IP address range into smaller chunks, each with its unique characteristics.
  8. Tenancy 🏑:

    • Tenancy options determine whether your instances run on shared hardware (like apartments in a building) or dedicated hardware (like your own house) within the AWS data center.

Let's create and deploy the VPC and all the networking components in a real time hands-on way.

The solution is comprised of the following components: Β·

Β· A VPC across two Availability Zones

Β· Two public web subnets, two private app subnets, and two private DB subnets

Β· An Internet Gateway attached to the VPC

Β· A public route table routing internet traffic to the Internet Gateway

Β· Two private route tables routing traffic internally within the VPC

Β· A frontend web server application Elastic Load Balancing that routes traffic to the Apache Web Servers

An Auto Scaling group that launches additional Apache Web Servers based on defined scaling policies. Each instance of the web server is based on a launch template, which defines the same configuration for each new web server.

Β· A hosted zone in Amazon Route 53 with a domain name that routes to the frontend web server Elastic Load Balancing

Β· An Auto Scaling group that launches additional Apache Web Application Servers based on defined scaling policies. Each instance of the Apache Web Application server is based on a launch template, which defines the same configuration and software components for each new application server

Β· A MySQL Amazon Relational Database Service (Amazon RDS) Multi-AZ deployment for MySQL RDS to store the contact management and role access tables

Here's the list of components:

  1. ☁️ AWS Cloud

  2. 🌐 VPC

    • 🏘️ Subnets

    • 🌐 Internet Gateway

    • βš™οΈ NAT Gateway

    • πŸ—ΊοΈ Route Tables

    • πŸ”’ Security Groups

  3. πŸ’» EC2 Machine

  4. 🎯 Application Load Balancer

  5. ♻️ Auto Scaling

  6. πŸš€ Launch Template

  7. 🎲 RDS Database - MySQL

  8. πŸšͺ Mobaxterm SSH Client

Here are the project implementation phases:

  1. πŸš€ Phase 1: Deploy networking infrastructure

  2. πŸ“¦ Phase 2: Deploy Launch Template

  3. 🎯 Phase 3: Create elastic load balancer, auto scaling group, target group

  4. 🌐 Phase 4: Verify that the web application is accessible

  5. πŸ”„ Phase 5: Test horizontal scaling and high availability of the web application

  6. 🎲 Phase 6: Deploy RDS DB managed MYSQL instance

This sequence provides a clear and visually engaging overview of your project's implementation phases.

AWS Solution Architecture:

Phase 1: Deploy networking components 🌐

  1. Create VPC 🏞️

    • Name: prafect-vpc πŸ“›

    • CIDR: 10.0.0.0/16 πŸ“Š

  2. Create web Subnets 🏘️

    • Name: web-public01 πŸ“›

      • Availability zone: us-east-2a πŸ™οΈ

      • CIDR: 10.0.1.0/24 πŸ“Š

    • Name: web-public02 πŸ“›

      • Availability zone: us-east-2b πŸ™οΈ

      • CIDR: 10.0.2.0/24 πŸ“Š

  3. Create app Subnets 🏘️

    • Name: app-private01 πŸ“›

      • Availability zone: us-east-2a πŸ™οΈ

      • CIDR: 10.0.3.0/24 πŸ“Š

    • Name: app-private02 πŸ“›

      • Availability zone: us-east-2b πŸ™οΈ

      • CIDR: 10.0.4.0/24 πŸ“Š

  4. Create DB Subnets 🏘️

    • Name: db-private01 πŸ“›

      • Availability zone: us-east-2a πŸ™οΈ

      • CIDR: 10.0.5.0/24 πŸ“Š

    • Name: db-private02 πŸ“›

      • Availability zone: us-east-2b πŸ™οΈ

      • CIDR: 10.0.6.0/24 πŸ“Š

  5. Create Internet Gateway 🌐

    • Name: web-igw πŸ“›

    • Attach to VPC: prafect-vpc 🌐

  6. Create NAT Gateway ⚑

    • Name: prafect-NAT πŸ“›

    • Subnet: web-public01 🏘️

    • Connectivity: Public 🌐

    • Elastic IP: Allocate Elastic IP πŸ“Ά

  7. Create Route table – web-RT πŸ—ΊοΈ

    • Name: Web-RT πŸ“›

    • Select the VPC: prafect-vpc 🌐

    • Subnet Associations 🏘️

      • Select – web-public01 🏘️

      • Select – web-public02 🏘️

    • Routes – Add internet gateway as a route from 0.0.0.0/0 πŸ›£οΈ

      • Destination: 0.0.0.0/0 πŸ—ΊοΈ

      • Target: Select internet gateway: web-igw 🌐

  8. Create Route table – App-RT πŸ—ΊοΈ

    • Name: App-RT πŸ“›

    • Select the VPC: prafect-vpc 🌐

    • Subnet Associations 🏘️

      • Select – app-private01 🏘️

      • Select – app-private02 🏘️

    • Routes – Add NAT 0.0.0.0/0 πŸ›£οΈ

      • Destination: 0.0.0.0/0 πŸ—ΊοΈ

      • Target: Select NAT gateway ⚑

  9. Create Security Groups πŸ›‘οΈ

    • Create one security group for web traffic πŸ“›

      • Name: web-SG πŸ“›

      • VPC: prafect-vpc 🌐

      • Inbound rule 1 πŸ“Š

        • Type: HTTP 🌐

        • Protocol: TCP 🌐

        • Port Range: 80 πŸ“Ά

        • Source: 0.0.0.0/0 🌍

    • Create the second security group for App traffic πŸ“›

      • Name: app-SG πŸ“›

      • VPC: prafect-vpc 🌐

      • Inbound rule 1 πŸ“Š

        • Type: HTTP 🌐

        • Protocol: TCP 🌐

        • Port Range: 80 πŸ“Ά

        • Source: anywhere : web-SG 🌍

      • Inbound rule 2 πŸ“Š

        • Type: MYSQL/Aurora 🌐

        • Protocol: TCP 🌐

        • Port Range: 3306 πŸ“Ά

        • Source: anywhere : db-SG 🌍

      • Inbound rule 3 πŸ“Š

        • Type: SSH (if need to access the app instance by admin) 🌐

        • Protocol: TCP 🌐

        • Port Range: 22 πŸ“Ά

        • Source: anywhere : MYIP 🌍

    • Create the third security group for db traffic πŸ“›

      • Name: db-SG πŸ“›

      • VPC: prafect-vpc 🌐

      • Inbound rule 1 πŸ“Š

        • Type: ALL TCP 🌐

        • Protocol: TCP 🌐

        • Port Range: 0-65635 πŸ“Ά

        • Source: anywhere : app-SG 🌍

Phase 2: Deploy Launch Template πŸš€

  1. Create Launch Template: instances πŸ“¦

  2. Target Group name: app-TG 🎯

    • Protocol: TCP 🌐

    • Port: 80 πŸ“Ά

  3. VPC: prafect-vpc 🌐

  4. Health checks 🩺

    • Health check protocol: HTTP 🌐
  5. Advanced health check 🩺

    • Port: Traffic port πŸ“Ά

    • Healthy threshold: 3 πŸ“ˆ

    • Unhealthy threshold: 3 πŸ“‰

    • Timeout: 4 ⏱️

    • Interval: 10 seconds ⏳

Phase 3: Deploy Target Group 🎯

  1. Choose target group: instances πŸ“¦

  2. Target Group name: app-TG 🎯

    • Protocol: TCP 🌐

    • Port: 80 πŸ“Ά

    • VPC: prafect-vpc 🌐

  3. Health checks 🩺

    • Health check protocol: HTTP 🌐
  4. Advanced health check 🩺

    • Port: Traffic port πŸ“Ά

    • Healthy threshold: 3 πŸ“ˆ

    • Unhealthy threshold: 3 πŸ“‰

    • Timeout: 4 ⏱️

    • Interval: 10 seconds

πŸš€ Phase 4: Deploy Application Load Balancer

  1. Create Launch Template

  2. Create Application Load Balancer

  • Name: web-ALB

  • Scheme: internet-facing

  • IP address: IPv4

  • Network Mapping:

    • Select VPC: web-vpc

    • Mappings: Select: us-east-1a, us-east-1b

    • Security Groups: Select: web-ALB-SG

    • Listener:

      • HTTP:80

      • Default action: Target Group

πŸš€ Phase 5: Deploy Auto Scaling Group

  1. Name: web-ASG

  2. Launch Template: web-template

  3. Network:

  • VPC: web-vpc

  • Availability Zones: us-east-1a, us-east-1b

  • Load Balancing: Attach to an existing load balancer

  • Choose Target Group: web-TG

  • Health Check: ELB: 300 seconds

  • Group Size:

    • Units

    • Desired Capacity: 2

    • Minimum Capacity: 2

    • Maximum Capacity: 4

  • Scaling Policies:

    • Name: Target Tracking Policy

    • Metric Type: Average CPU Utilization

    • Target Value: 50

    • Warm-up: 300 seconds

πŸš€ Phase 6: Verify that web application is accessible

  1. Go to Application Load Balancer (ALB)

  2. Access the ALB DNS and access the web application

πŸš€ Phase 7: Deploy RDS DB Managed MySQL Instance

  • Create DB Instance Group

    • Go to Subnet Groups

    • Create DB Subnet Group

      • Name: db-subnetgroup

      • VPC: prafect-vpc

      • Add Subnets:

        • Availability Zones: us-east-2a, us-east-2b

        • Subnets: db-private01, db-private02

      • Create

  • Create DB Instance – MySQL

    • Create Database

    • Standard Create

    • Engine Options: MySQL

    • Engine Version: 5.7.39

    • Template: Dev/Test

    • Availability: Single DB Instance

    • Settings:

      • DB Instance: mysql

      • Credentials:

        • Master Username: admin

        • Password: Passw0rd!

    • Connectivity:

      • VPC: prafect-vpc

      • DB Subnet Group: dbsubnet

      • Public Class: No

      • Existing Security Group: db-SG

    • Database Authentication: Password Authentication

πŸ“‹ Prerequisites for the AWS Project:

  1. AWS Free Tier πŸ†“

  2. Web Application Source Code 🌐

  3. Web Server Installation Script File πŸ“œ

  4. SSH Client πŸ”‘

πŸš€ Taking Action on the Implementation:

Phase 1: Deploy networking components 🌐

  1. Create VPC 🏞️

    • Name: prafect-vpc πŸ“›

    • CIDR: 10.0.0.0/16 πŸ“Š

  1. Create web Subnets 🏘️

    • Name: web-public01 πŸ“›

      • Availability zone: us-east-2a πŸ™οΈ

      • CIDR: 10.0.1.0/24 πŸ“Š

    • Name: web-public02 πŸ“›

      • Availability zone: us-east-2b πŸ™οΈ

      • CIDR: 10.0.2.0/24 πŸ“Š

  1. 3. Create app Subnets 🏘️

    • Name: app-private01 πŸ“›

      • Availability zone: us-east-2a πŸ™οΈ

      • CIDR: 10.0.3.0/24 πŸ“Š

    • Name: app-private02 πŸ“›

      • Availability zone: us-east-2b πŸ™οΈ

      • CIDR: 10.0.4.0/24 πŸ“Š

  1. Create DB Subnets 🏘️

    • Name: db-private01 πŸ“›

      • Availability zone: us-east-2a πŸ™οΈ

      • CIDR: 10.0.5.0/24 πŸ“Š

    • Name: db-private02 πŸ“›

      • Availability zone: us-east-2b πŸ™οΈ

      • CIDR: 10.0.6.0/24 πŸ“Š

  1. Create Internet Gateway 🌐

    • Name: web-igw πŸ“›

    • Attach to VPC: prafect-vpc 🌐

  1. Create Route table – App-RT πŸ—ΊοΈ

    • Name: App-RT πŸ“›

    • Select the VPC: prafect-vpc 🌐

    • Subnet Associations 🏘️

      • Select – app-private01 🏘️

      • Select – app-private02 🏘️

    • Routes – Add NAT 0.0.0.0/0 πŸ›£οΈ

      • Destination: 0.0.0.0/0 πŸ—ΊοΈ

      • Target: Select NAT gateway ⚑

Add route to internet gateway

Destination: 0.0.0.0/0 Target: Internet gateway

  1. Create Route table – App-RT πŸ—ΊοΈ

    • Name: App-RT πŸ“›

    • Select the VPC: prafect-vpc 🌐

    • Subnet Associations 🏘️

      • Select – app-private01 🏘️

      • Select – app-private02 🏘️

    • Routes – Add NAT 0.0.0.0/0 πŸ›£οΈ

      • Destination: 0.0.0.0/0 πŸ—ΊοΈ

      • Target: Select NAT gateway ⚑

Add subnet association

  1. Create Security Groups πŸ›‘οΈ

    • Create one security group for web traffic πŸ“›

      • Name: web-SG πŸ“›

      • VPC: prafect-vpc 🌐

      • Inbound rule 1 πŸ“Š

        • Type: HTTP 🌐

        • Protocol: TCP 🌐

        • Port Range: 80 πŸ“Ά

        • Source: 0.0.0.0/0 🌍

  • Create the second security group for App traffic πŸ“›

    • Name: app-SG πŸ“›

    • VPC: prafect-vpc 🌐

    • Inbound rule 1 πŸ“Š

      • Type: HTTP 🌐

      • Protocol: TCP 🌐

      • Port Range: 80 πŸ“Ά

      • Source: anywhere : web-SG 🌍

    • Inbound rule 2 πŸ“Š

      • Type: MYSQL/Aurora 🌐

      • Protocol: TCP 🌐

      • Port Range: 3306 πŸ“Ά

      • Source: anywhere : db-SG 🌍

    • Inbound rule 3 πŸ“Š

      • Type: SSH (if need to access the app instance by admin) 🌐

      • Protocol: TCP 🌐

      • Port Range: 22 πŸ“Ά

      • Source: anywhere : MYIP 🌍

  • Create the third security group for db traffic πŸ“›

    • Name: db-SG πŸ“›

    • VPC: prafect-vpc 🌐

    • Inbound rule 1 πŸ“Š

      • Type: ALL TCP 🌐

      • Protocol: TCP 🌐

      • Port Range: 0-65635 πŸ“Ά

      • Source: anywhere : app-SG 🌍

Phase 2: Deploy Launch Template πŸš€

  1. Create Launch Template: instances πŸ“¦

  2. Target Group name: app-TG 🎯

    • Protocol: TCP 🌐

    • Port: 80 πŸ“Ά

  3. VPC: prafect-vpc 🌐

  4. Health checks 🩺

    • Health check protocol: HTTP 🌐
  5. Advanced health check 🩺

    • Port: Traffic port πŸ“Ά

    • Healthy threshold: 3 πŸ“ˆ

    • Unhealthy threshold: 3 πŸ“‰

    • Timeout: 4 ⏱️

    • Interval: 10 seconds

Phase 3: Deploy Target Group 🎯

  1. Choose target group: instances πŸ“¦

  2. Target Group name: app-TG 🎯

    • Protocol: TCP 🌐

    • Port: 80 πŸ“Ά

    • VPC: prafect-vpc 🌐

  3. Health checks 🩺

    • Health check protocol: HTTP 🌐
  4. Advanced health check 🩺

    • Port: Traffic port πŸ“Ά

    • Healthy threshold: 3 πŸ“ˆ

    • Unhealthy threshold: 3 πŸ“‰

    • Timeout: 4 ⏱️

    • Interval: 10 seconds

πŸš€ Phase 4: Deploy Application Load Balancer

  1. Create Launch Template

  2. Create Application Load Balancer

  • Name: web-ALB

  • Scheme: internet-facing

  • IP address: IPv4

  • Network Mapping:

    • Select VPC: web-vpc

    • Mappings: Select: us-east-1a, us-east-1b

    • Security Groups: Select: web-ALB-SG

    • Listener:

      • HTTP:80

      • Default action: Target Group

Loadbalancer created successfully

πŸ” Verify ALB URL Accessibility:

  1. πŸ“‹ Copy the ALB DNS:

  2. 🌐 Open your preferred browser 🌟.

  3. 🌐 Paste the ALB DNS into the browser's address bar and hit Enter ⏎.

Go to Target Group

πŸš€ Phase 5: Deploy Auto Scaling Group

  1. Name: web-ASG

  2. Launch Template: web-template

  3. Network:

  • VPC: web-vpc

  • Availability Zones: us-east-1a, us-east-1b

  • Load Balancing: Attach to an existing load balancer

  • Choose Target Group: web-TG

  • Health Check: ELB: 300 seconds

  • Group Size:

    • Units

    • Desired Capacity: 2

    • Minimum Capacity: 2

    • Maximum Capacity: 4

  • Scaling Policies:

    • Name: Target Tracking Policy

    • Metric Type: Average CPU Utilization

    • Target Value: 50

    • Warm-up: 300 seconds

Go to ALB and copy the ELB DNS

Verify ALB URL Accessibility:

  1. πŸ“‹ Copy the ALB DNS:

  2. 🌐 Open your preferred browser 🌟.

  3. 🌐 Paste the ALB DNS into the browser's address bar and hit Enter ⏎.

Create NAT Gateway

Add route to application private route table: APP-RT route table

Edit Route – Add NAT gateway Destination: 0.0.0.0/0 Target: NAT Gateway

πŸš€ Phase 6: Verify that web application is accessible

  1. Go to Application Load Balancer (ALB)

  2. Access the ALB DNS and access the web application

Verify ALB URL Accessibility:

  1. πŸ“‹ Copy the ALB DNS:

  2. 🌐 Open your preferred browser 🌟.

  3. 🌐 Paste the ALB DNS into the browser's address bar and hit Enter ⏎.

πŸ“ Important Note:

If your web application source code resides in the Private App Subnet, here's what you need for configuring SSH access and package downloads:

  1. To access the server from SSH, make sure to enable Public IP when creating the Launch Template 🌐. This allows secure access to your instance.

  2. For downloading packages and installing the web server in the Private App Subnet, you'll need the following configurations:

    • 🌐 NAT Gateway: Launch a NAT Gateway into the Web-Public Subnet. This enables instances in the Private App Subnet to access external resources.

    • πŸ“š App-RT (Route Table): Add a NAT Gateway route to the App-Route Table. This route allows instances in the Private App Subnet to use the NAT Gateway for internet-bound traffic.

πŸš€ Phase 7: Deploy RDS DB Managed MySQL Instance

  • Create DB Instance Group

    • Go to Subnet Groups

    • Create DB Subnet Group

      • Name: db-subnetgroup

      • VPC: prafect-vpc

      • Add Subnets:

        • Availability Zones: us-east-2a, us-east-2b

        • Subnets: db-private01, db-private02

      • Create

  • Create DB Instance – MySQL

    • Create Database

    • Standard Create

    • Engine Options: MySQL

    • Engine Version: 5.7.39

    • Template: Dev/Test

    • Availability: Single DB Instance

    • Settings:

      • DB Instance: mysql

      • Credentials:

        • Master Username: admin

        • Password: Passw0rd!

    • Connectivity:

      • VPC: prafect-vpc

      • DB Subnet Group: dbsubnet

      • Public Class: No

      • Existing Security Group: db-SG

    • Database Authentication: Password Authentication

Db instance name: mysql User: admin Password: Passw0rd!

MYSQL db instance created

New DB connection parameters: Servername: mysql1.cagenoemjwd5.us-east-2.rds.amazonaws.com Username: admin Password: Passw0rd! Dbname: contacts Go to web source code file: db.php

Add rule Type: MYSQL/Aurora Protocol: TCP Port range: 3306 Source : custom: db_SG

Access rds db instance from one of web server 3.143.110.192 Install sudo apt-get install mysql-server mysql-client

Solution: Go to web-SG, Add MY IP as source for MYSQL/Aurora 3306

Create a New Database mysql> create database contacts; Verify that database β€˜contacts’ is created

πŸ“Š Create Tables Inside 'Contacts' Database πŸ“

  1. πŸ’Ό Access the 'Contacts' database:

    • mysql> use contacts;
  2. πŸ› οΈ Create the 'users' table with columns 'name,' 'email,' and 'subject':

    • mysql> create table users(name varchar(30), email varchar(30), subject varchar(30));
  3. βœ… Verify the creation of the 'users' table:

    • mysql> show tables;

Describe table and check if the fields are exist

mysql>Describe users;

Install Telnet utility & check DB Connection 

Sudo apt-get install telnet

Test RDS DB connection from Web to DB  Telnet  telnet mysql2021.cntikk0jg8xf.ca-central-1.rds.amazonaws.com 3306

Let's insert data into database from webpage

πŸ” Verify Data from Backend Database πŸ›’οΈ

To ensure that data has been successfully added from the web application, follow these steps:

  1. 🏒 Access your backend database.

  2. πŸ“Š Query the database to retrieve and verify the added data.

Congratulations:

πŸ›‘οΈ Improvement Tasks for Enhanced Security:

  1. πŸšͺ Identity and Access Management (IAM): Strengthen user access controls and authentication.

  2. 🧯 Firewalls (Web Application and Network): Enhance security layers and implement DDoS protection.

  3. πŸ” Create & Manage Cryptographic Keys: Safeguard sensitive data with encryption.

  4. 🀐 Manage Secrets, API Keys, Credentials: Securely handle and store sensitive information.

  5. πŸ›‘οΈ Security Assessment for EC2 Instances: Regularly evaluate and fortify EC2 instance security.

  6. 🚨 Threat Detection: Implement systems to detect and respond to security threats.

  7. πŸ”” Manage Security Alerts: Monitor and respond to security incidents.

  8. πŸ›‘οΈ Configure Security Controls for Individual AWS Services: Tailor security measures for each AWS service.

πŸš€ Improvement Tasks for Efficient Deployment:

  1. βš™οΈ Automate Provisioning: Streamline the deployment process for faster results.

  2. πŸ•΅οΈ Observability of AWS Resources: Gain insights into resource performance and usage.

  3. πŸ“Š Track User Actions & API Usage on AWS: Monitor user activities and API utilization.

  4. πŸ› οΈ Evaluate Configuration of AWS Resources: Ensure resource settings align with best practices.

  5. πŸ“‘ Centralize Operations:

    • πŸ€– Automate Actions with Runbooks: Execute routine tasks efficiently.

    • 🧰 Manage & Patch Instances: Keep instances up-to-date and secure.

    • πŸ•’ Schedule & Govern Changes: Control and schedule updates and modifications.

By implementing these tasks, you can bolster security and streamline deployment, ultimately enhancing the performance and resilience of your AWS infrastructure. πŸŒŸπŸ› οΈπŸš€

#AWS #CloudEngineering #AmazonWebServices #CloudComputing #InfrastructureAsCode #Serverless #DevOps #AWSArchitecture #AWSBestPractices #SecurityInAWS #CostOptimization #AWSCertification #S3 #EC2 #Lambda #VPC #CloudFormation #IAM #CloudMigration #ElasticLoadBalancer

Β