Architecture Overview
Our architecture will consist of:
- Two Availability Zones for high availability
- Public and private subnets in each AZ
- NAT Gateways for outbound internet access from private subnets
- An Internet Gateway for public internet access
- Security groups for Application Load Balancer and Web Servers
- VPC Endpoint for private S3 access
Step-by-Step Implementation
1. Create the Virtual Private Cloud (VPC)
First, we'll create the VPC that will contain all our resources:
- Navigate to the AWS VPC console
- Click "Create VPC"
- Select "VPC only" (we'll create subnets separately)
- Enter these details:
- Name tag:
Production-VPC
- IPv4 CIDR block:
10.0.0.0/16
- Leave IPv6 disabled (unless you specifically need it)
- Tenancy: Default
- Name tag:
- Click "Create VPC"
2. Create Subnets in Availability Zone 1
Now let's create our first set of subnets in Availability Zone 1:
Public Subnet A:
- In the VPC console, go to "Subnets"
- Click "Create subnet"
- Select your VPC from the dropdown
- Enter:
- Subnet name:
Public-Subnet-A
- Availability Zone: Choose your first AZ (e.g.,
us-east-1a
) - IPv4 CIDR block:
10.0.0.0/20
- Subnet name:
- Click "Create subnet"
Private Subnet A:
- Click "Create subnet" again
- Select your VPC
- Enter:
- Subnet name:
Private-Subnet-A
- Availability Zone: Same AZ as above (
us-east-1a
) - IPv4 CIDR block:
10.0.128.0/20
- Subnet name:
- Click "Create subnet"
3. Create Subnets in Availability Zone 2
Repeat the process for the second Availability Zone:
Public Subnet B:
- Click "Create subnet"
- Select your VPC
- Enter:
- Subnet name:
Public-Subnet-B
- Availability Zone: Choose your second AZ (e.g.,
us-east-1b
) - IPv4 CIDR block:
10.0.16.0/20
- Subnet name:
- Click "Create subnet"
Private Subnet B:
- Click "Create subnet" again
- Select your VPC
- Enter:
- Subnet name:
Private-Subnet-B
- Availability Zone: Same AZ as above (
us-east-1b
) - IPv4 CIDR block:
10.0.144.0/20
- Subnet name:
- Click "Create subnet"
4. Create Internet Gateway
For public internet access:
- In the VPC console, go to "Internet Gateways"
- Click "Create internet gateway"
- Name it
Production-IGW
- Click "Create internet gateway"
- Select the new IGW and click "Actions" > "Attach to VPC"
- Select your VPC and click "Attach internet gateway"
5. Create NAT Gateways
We'll need one NAT Gateway in each AZ for private subnet internet access:
NAT Gateway in AZ 1:
- Go to "NAT Gateways" in the VPC console
- Click "Create NAT gateway"
- Configure:
- Name:
NAT-GW-AZ1
- Subnet: Select
Public-Subnet-A
- Connectivity type: Public
- Allocate Elastic IP (click "Allocate Elastic IP")
- Name:
- Click "Create NAT gateway"
NAT Gateway in AZ 2:
- Click "Create NAT gateway" again
- Configure:
- Name:
NAT-GW-AZ2
- Subnet: Select
Public-Subnet-B
- Connectivity type: Public
- Allocate Elastic IP (click "Allocate Elastic IP")
- Name:
- Click "Create NAT gateway"
Note: Wait for both NAT Gateways to show status "Available" before proceeding.
6. Configure Route Tables
We'll need separate route tables for public and private subnets.
Public Route Table:
- Go to "Route Tables" in the VPC console
- Click "Create route table"
- Name it
Public-Route-Table
and select your VPC - Click "Create"
- Select the new route table, go to "Routes" tab, click "Edit routes"
- Add a route:
- Destination:
0.0.0.0/0
- Target: Select the Internet Gateway you created
- Destination:
- Click "Save changes"
- Go to "Subnet associations" tab, click "Edit subnet associations"
- Select both public subnets (
Public-Subnet-A
andPublic-Subnet-B
) - Click "Save associations"
Private Route Table for AZ 1:
- Click "Create route table"
- Name it
Private-Route-Table-AZ1
and select your VPC - Click "Create"
- Select the new route table, go to "Routes" tab, click "Edit routes"
- Add a route:
- Destination:
0.0.0.0/0
- Target: Select the NAT Gateway in AZ 1 (
NAT-GW-AZ1
)
- Destination:
- Click "Save changes"
- Go to "Subnet associations" tab, click "Edit subnet associations"
- Select
Private-Subnet-A
- Click "Save associations"
Private Route Table for AZ 2:
- Click "Create route table"
- Name it
Private-Route-Table-AZ2
and select your VPC - Click "Create"
- Select the new route table, go to "Routes" tab, click "Edit routes"
- Add a route:
- Destination:
0.0.0.0/0
- Target: Select the NAT Gateway in AZ 2 (
NAT-GW-AZ2
)
- Destination:
- Click "Save changes"
- Go to "Subnet associations" tab, click "Edit subnet associations"
- Select
Private-Subnet-B
- Click "Save associations"
7. Create Security Groups
Application Load Balancer Security Group:
- Go to "Security Groups" in the VPC console
- Click "Create security group"
- Enter:
- Security group name:
ALB-Security-Group
- Description:
Security group for Application Load Balancer
- VPC: Select your VPC
- Security group name:
- Under "Inbound rules", add:
- Type: HTTP, Source:
0.0.0.0/0
- Type: HTTPS, Source:
0.0.0.0/0
- Type: HTTP, Source:
- Click "Create security group"
Web Server Security Group:
- Click "Create security group"
- Enter:
- Security group name:
Web-Server-Security-Group
- Description:
Security group for web servers in private subnets
- VPC: Select your VPC
- Security group name:
- Under "Inbound rules", add:
- Type: HTTP, Source: Select the ALB security group
- Type: HTTPS, Source: Select the ALB security group
- Type: SSH, Source: Your IP (for management)
- Click "Create security group"
8. Create VPC Endpoint for S3
For private access to S3 without going through the internet:
- Go to "Endpoints" in the VPC console
- Click "Create endpoint"
- Configure:
- Name tag:
S3-VPC-Endpoint
- Service category: AWS services
- Service: Select
com.amazonaws.[region].s3
(replace [region] with your region) - VPC: Select your VPC
- Route tables: Select all private route tables
- Policy: Full access (or customize as needed)
- Name tag:
- Click "Create endpoint"
9. Create Application Load Balancer
Now let's set up the ALB to distribute traffic to our web servers:
- Go to the EC2 console and navigate to "Load Balancers"
- Click "Create Load Balancer"
- Select "Application Load Balancer"
- Configure:
- Name:
Web-ALB
- Scheme: Internet-facing
- IP address type: IPv4
- VPC: Select your VPC
- Mappings: Select both AZs and their public subnets
- Name:
- Under "Security groups", select the ALB security group
- Configure listeners for HTTP (80) and HTTPS (443)
- For now, skip target group creation (we'll create EC2 instances later)
- Click "Create load balancer"
Next Steps
With this infrastructure in place, you're ready to:
- Launch EC2 instances in your private subnets (attach the Web Server Security Group)
- Create a target group and register your instances with the ALB
- Set up Auto Scaling for high availability
- Configure Route 53 for DNS management
- Set up monitoring with CloudWatch
Cost Considerations
Remember that NAT Gateways incur hourly charges and data processing fees. Consider these cost optimization strategies:
- Use NAT Instances instead of NAT Gateways for development environments
- Implement S3 Gateway Endpoints (which are free) instead of Interface Endpoints where possible
- Monitor your data transfer costs
Conclusion
You've now set up a highly available, secure AWS architecture spanning multiple Availability Zones. This architecture provides:
- Fault tolerance through multi-AZ deployment
- Security through public/private subnet separation
- Scalability through the Application Load Balancer
- Private access to S3 via VPC endpoints
This foundation can support web applications, APIs, or other services while maintaining security and availability best practices.
Top comments (0)