DEV Community

Cloudev
Cloudev

Posted on

Building a Secure and Scalable 3-Tier Architecture on AWS

Cloud computing has revolutionized the way applications are developed and deployed. Whether you're preparing for an AWS certification, practicing DevOps skills, or building a real-world project, understanding how to architect and deploy a secure multi-tier application on AWS is critical.

In this blog post, I walk you through how to set up a 3-tier architecture on AWS using core services like VPC, EC2, RDS, NAT Gateway, and Security Groups. By the end, you’ll have a secure and highly available environment running a simple web application connected to a backend database

** What We’re Building**
We’ll build a 3-tier architecture with:
Web Tier – A public-facing web server running Apache and PHP.
Application Tier – A backend app server running MariaDB client.
Database Tier – A managed MariaDB database using Amazon RDS.

All of this will run inside a custom VPC with subnets spread across multiple availability zones for high availability.

Why This Matters
This setup helps you:
-Understand secure network segmentation using public and private subnets

Practice SSH access using a Bastion Host

Learn how different AWS services integrate in real application deployment

Build cloud environments suitable for production

Step-by-Step Breakdown

  1. Create a Custom VPC
    Start by creating a Virtual Private Cloud (VPC) with CIDR 10.0.0.0/16. This VPC will host all your resources.

  2. Create Subnets
    You’ll need:

1 Public Subnet for internet-facing resources like the Bastion Host and Web Server

3 Private Subnets for backend resources and RDS, each in a different Availability Zone for high availability

Enable auto-assign public IPs in the public subnet.

  1. Set Up Internet and NAT Gateways Create and attach an Internet Gateway to your VPC

Allocate an Elastic IP and use it to create a NAT Gateway in the public subnet

Configure Route Tables:

Public subnet routes internet traffic to the Internet Gateway

Private subnets route outbound internet traffic through the NAT Gateway

  1. Create Security Groups Create separate security groups for:

Bastion Host – SSH access from your IP

Web Server – HTTP access from anywhere, SSH from Bastion

App Server – MariaDB port access from Web Server, SSH from Bastion

Database – MariaDB port access from App Server

  1. Launch EC2 Instances Bastion Host Amazon Linux 2

t2.micro in the public subnet

Key pair for SSH access

Web Server
Amazon Linux 2 in public subnet

User data script to install Apache, PHP, and start web server

App Server
Amazon Linux 2 in private subnet

User data script to install and start MariaDB client

  1. Deploy RDS Database Choose MariaDB with the Free Tier

Use private subnets in a DB Subnet Group

Disable backups and encryption for simplicity

Use root as the username and set an initial database name like mydb

  1. Upload PEM Key to Bastion Host From your terminal:

scp -i labsuser.pem labsuser.pem ec2-user@:/home/ec2-user

  1. Test Connectivity SSH into the Bastion Host and from there:

SSH into the App Server using the PEM key

Ping the Web Server’s private IP to confirm network reachability

Use the MariaDB client to connect to the RDS instance
**
What This Setup Achieves**

  • Secure Access Control Access to internal resources is tightly managed through security groups and the use of a Bastion Host.

-Isolation of Application Tiers
Frontend, backend, and database are deployed in separate layers, which enhances security and scalability.

-Real-World Architecture Practice
This mirrors real-world infrastructure for web applications, ideal for cloud engineers, DevOps professionals, and learners.

-Scalability and High Availability
Using multiple availability zones and subnet segmentation supports future scaling and fault tolerance

Top comments (0)