Cloud computing has revolutionized the way applications are developed and deployed. Whether you're preparing for an AWS certification, practicing DevOps skills, or building a real-world project, understanding how to architect and deploy a secure multi-tier application on AWS is critical.
In this blog post, I walk you through how to set up a 3-tier architecture on AWS using core services like VPC, EC2, RDS, NAT Gateway, and Security Groups. By the end, you’ll have a secure and highly available environment running a simple web application connected to a backend database
** What We’re Building**
We’ll build a 3-tier architecture with:
Web Tier – A public-facing web server running Apache and PHP.
Application Tier – A backend app server running MariaDB client.
Database Tier – A managed MariaDB database using Amazon RDS.
All of this will run inside a custom VPC with subnets spread across multiple availability zones for high availability.
Why This Matters
This setup helps you:
-Understand secure network segmentation using public and private subnets
Practice SSH access using a Bastion Host
Learn how different AWS services integrate in real application deployment
Build cloud environments suitable for production
Step-by-Step Breakdown
Create a Custom VPC
Start by creating a Virtual Private Cloud (VPC) with CIDR 10.0.0.0/16. This VPC will host all your resources.Create Subnets
You’ll need:
1 Public Subnet for internet-facing resources like the Bastion Host and Web Server
3 Private Subnets for backend resources and RDS, each in a different Availability Zone for high availability
Enable auto-assign public IPs in the public subnet.
- Set Up Internet and NAT Gateways Create and attach an Internet Gateway to your VPC
Allocate an Elastic IP and use it to create a NAT Gateway in the public subnet
Configure Route Tables:
Public subnet routes internet traffic to the Internet Gateway
Private subnets route outbound internet traffic through the NAT Gateway
- Create Security Groups Create separate security groups for:
Bastion Host – SSH access from your IP
Web Server – HTTP access from anywhere, SSH from Bastion
App Server – MariaDB port access from Web Server, SSH from Bastion
Database – MariaDB port access from App Server
- Launch EC2 Instances Bastion Host Amazon Linux 2
t2.micro in the public subnet
Key pair for SSH access
Web Server
Amazon Linux 2 in public subnet
User data script to install Apache, PHP, and start web server
App Server
Amazon Linux 2 in private subnet
User data script to install and start MariaDB client
- Deploy RDS Database Choose MariaDB with the Free Tier
Use private subnets in a DB Subnet Group
Disable backups and encryption for simplicity
Use root as the username and set an initial database name like mydb
- Upload PEM Key to Bastion Host From your terminal:
scp -i labsuser.pem labsuser.pem ec2-user@:/home/ec2-user
- Test Connectivity SSH into the Bastion Host and from there:
SSH into the App Server using the PEM key
Ping the Web Server’s private IP to confirm network reachability
Use the MariaDB client to connect to the RDS instance
**
What This Setup Achieves**
- Secure Access Control Access to internal resources is tightly managed through security groups and the use of a Bastion Host.
-Isolation of Application Tiers
Frontend, backend, and database are deployed in separate layers, which enhances security and scalability.
-Real-World Architecture Practice
This mirrors real-world infrastructure for web applications, ideal for cloud engineers, DevOps professionals, and learners.
-Scalability and High Availability
Using multiple availability zones and subnet segmentation supports future scaling and fault tolerance
Top comments (0)