DEV Community: nao1515 The latest articles on DEV Community by nao1515 (@1515_1c22035d85e1ae3d). https://dev.to/1515_1c22035d85e1ae3d https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3910241%2F4095cc76-9846-43b8-ba05-eefd2084cc60.jpg DEV Community: nao1515 https://dev.to/1515_1c22035d85e1ae3d en Running a Tomcat App on ECS Fargate — A Complete Step-by-Step Guide nao1515 Sun, 10 May 2026 08:50:36 +0000 https://dev.to/1515_1c22035d85e1ae3d/running-a-tomcat-app-on-ecs-fargate-a-complete-step-by-step-guide-36al https://dev.to/1515_1c22035d85e1ae3d/running-a-tomcat-app-on-ecs-fargate-a-complete-step-by-step-guide-36al <h2> Introduction </h2> <p>This guide walks you through migrating an existing Tomcat application to AWS ECS Fargate — covering everything from session management and DB migration to Auto Scaling, with a production-ready setup in mind.</p> <h3> Who this is for </h3> <ul> <li>Developers migrating a Tomcat app to AWS</li> <li>Engineers new to ECS Fargate</li> </ul> <h3> Final Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet │ ALB (port 80/443) │ ECS Fargate ├─ ElastiCache (Redis) ← session store └─ RDS (PostgreSQL) ← persistent data </code></pre> </div> <h2> STEP 1: Create Security Groups </h2> <p>Create dedicated security groups for ALB, ECS, Redis, and RDS. Following the principle of least privilege, only allow what is strictly necessary.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ALB — allow HTTP/HTTPS from the internet</span> aws ec2 create-security-group <span class="se">\</span> <span class="nt">--group-name</span> sg-alb <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"ALB SG"</span> <span class="se">\</span> <span class="nt">--vpc-id</span> vpc-xxxxxxxx aws ec2 authorize-security-group-ingress <span class="se">\</span> <span class="nt">--group-id</span> sg-alb <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 80 <span class="nt">--cidr</span> 0.0.0.0/0 aws ec2 authorize-security-group-ingress <span class="se">\</span> <span class="nt">--group-id</span> sg-alb <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 443 <span class="nt">--cidr</span> 0.0.0.0/0 <span class="c"># ECS — allow 8080 from ALB only</span> aws ec2 create-security-group <span class="se">\</span> <span class="nt">--group-name</span> sg-ecs <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"ECS SG"</span> <span class="se">\</span> <span class="nt">--vpc-id</span> vpc-xxxxxxxx aws ec2 authorize-security-group-ingress <span class="se">\</span> <span class="nt">--group-id</span> sg-ecs <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 8080 <span class="se">\</span> <span class="nt">--source-group</span> sg-alb <span class="c"># Redis — allow 6379 from ECS only</span> aws ec2 create-security-group <span class="se">\</span> <span class="nt">--group-name</span> sg-redis <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Redis SG"</span> <span class="se">\</span> <span class="nt">--vpc-id</span> vpc-xxxxxxxx aws ec2 authorize-security-group-ingress <span class="se">\</span> <span class="nt">--group-id</span> sg-redis <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 6379 <span class="se">\</span> <span class="nt">--source-group</span> sg-ecs <span class="c"># RDS — allow 5432 from ECS only</span> aws ec2 create-security-group <span class="se">\</span> <span class="nt">--group-name</span> sg-rds <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"RDS SG"</span> <span class="se">\</span> <span class="nt">--vpc-id</span> vpc-xxxxxxxx aws ec2 authorize-security-group-ingress <span class="se">\</span> <span class="nt">--group-id</span> sg-rds <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 5432 <span class="se">\</span> <span class="nt">--source-group</span> sg-ecs </code></pre> </div> <p>Here is a summary of the security group rules:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Security Group</th> <th>Inbound Rule</th> </tr> </thead> <tbody> <tr> <td>sg-alb</td> <td>0.0.0.0/0 → 80, 443</td> </tr> <tr> <td>sg-ecs</td> <td>sg-alb → 8080</td> </tr> <tr> <td>sg-redis</td> <td>sg-ecs → 6379</td> </tr> <tr> <td>sg-rds</td> <td>sg-ecs → 5432</td> </tr> </tbody> </table></div> <h2> STEP 2: Store Credentials in Secrets Manager </h2> <p>Store passwords and other sensitive values in Secrets Manager so they never appear as plain text in your task definition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> myapp/db-password <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s2">"your-db-password"</span> aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> myapp/db-user <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s2">"your-db-user"</span> aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> myapp/redis-password <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s2">"your-redis-password"</span> </code></pre> </div> <h2> STEP 3: Provision RDS </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Subnet group (private subnets)</span> aws rds create-db-subnet-group <span class="se">\</span> <span class="nt">--db-subnet-group-name</span> myapp-rds-subnet <span class="se">\</span> <span class="nt">--db-subnet-group-description</span> <span class="s2">"myapp RDS subnet"</span> <span class="se">\</span> <span class="nt">--subnet-ids</span> subnet-aaaaaaaa subnet-bbbbbbbb <span class="c"># RDS instance</span> aws rds create-db-instance <span class="se">\</span> <span class="nt">--db-instance-identifier</span> myapp-db <span class="se">\</span> <span class="nt">--db-instance-class</span> db.t4g.small <span class="se">\</span> <span class="nt">--engine</span> postgres <span class="se">\</span> <span class="nt">--engine-version</span> 15.4 <span class="se">\</span> <span class="nt">--master-username</span> myapp <span class="se">\</span> <span class="nt">--master-user-password</span> <span class="s2">"your-db-password"</span> <span class="se">\</span> <span class="nt">--db-name</span> myapp <span class="se">\</span> <span class="nt">--db-subnet-group-name</span> myapp-rds-subnet <span class="se">\</span> <span class="nt">--vpc-security-group-ids</span> sg-rds <span class="se">\</span> <span class="nt">--multi-az</span> <span class="se">\</span> <span class="nt">--storage-type</span> gp3 <span class="se">\</span> <span class="nt">--allocated-storage</span> 20 <span class="se">\</span> <span class="nt">--no-publicly-accessible</span> </code></pre> </div> <h2> STEP 4: Provision ElastiCache (Redis) </h2> <p>Because Fargate replaces the underlying instance on every task restart, any session stored in memory will be lost. With multiple tasks running, a request routed to a different task will fail to find the session.</p> <p>Externalizing sessions to ElastiCache (Redis) solves both problems.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Subnet group</span> aws elasticache create-cache-subnet-group <span class="se">\</span> <span class="nt">--cache-subnet-group-name</span> myapp-redis-subnet <span class="se">\</span> <span class="nt">--cache-subnet-group-description</span> <span class="s2">"myapp redis subnet"</span> <span class="se">\</span> <span class="nt">--subnet-ids</span> subnet-aaaaaaaa subnet-bbbbbbbb <span class="c"># Parameter group</span> aws elasticache create-cache-parameter-group <span class="se">\</span> <span class="nt">--cache-parameter-group-name</span> myapp-redis-params <span class="se">\</span> <span class="nt">--cache-parameter-group-family</span> redis7 <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"myapp redis params"</span> aws elasticache modify-cache-parameter-group <span class="se">\</span> <span class="nt">--cache-parameter-group-name</span> myapp-redis-params <span class="se">\</span> <span class="nt">--parameter-name-values</span> <span class="se">\</span> <span class="nv">ParameterName</span><span class="o">=</span>maxmemory-policy,ParameterValue<span class="o">=</span>allkeys-lru <span class="se">\</span> <span class="nv">ParameterName</span><span class="o">=</span><span class="nb">timeout</span>,ParameterValue<span class="o">=</span>300 <span class="c"># Redis cluster (Multi-AZ, encrypted)</span> aws elasticache create-replication-group <span class="se">\</span> <span class="nt">--replication-group-id</span> myapp-redis <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"myapp session store"</span> <span class="se">\</span> <span class="nt">--engine</span> redis <span class="se">\</span> <span class="nt">--engine-version</span> 7.0 <span class="se">\</span> <span class="nt">--cache-node-type</span> cache.t4g.medium <span class="se">\</span> <span class="nt">--num-cache-clusters</span> 2 <span class="se">\</span> <span class="nt">--multi-az-enabled</span> <span class="se">\</span> <span class="nt">--automatic-failover-enabled</span> <span class="se">\</span> <span class="nt">--cache-subnet-group-name</span> myapp-redis-subnet <span class="se">\</span> <span class="nt">--cache-parameter-group-name</span> myapp-redis-params <span class="se">\</span> <span class="nt">--security-group-ids</span> sg-redis <span class="se">\</span> <span class="nt">--at-rest-encryption-enabled</span> <span class="se">\</span> <span class="nt">--transit-encryption-enabled</span> <span class="se">\</span> <span class="nt">--auth-token</span> <span class="s2">"your-redis-password"</span> </code></pre> </div> <h3> Spring Session configuration </h3> <p>Add the dependencies to <code>pom.xml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.session<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-session-data-redis<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.lettuce<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>lettuce-core<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>Configure <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">session</span><span class="pi">:</span> <span class="na">store-type</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">30m</span> <span class="na">data</span><span class="pi">:</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">${REDIS_HOST}</span> <span class="na">port</span><span class="pi">:</span> <span class="s">${REDIS_PORT}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${REDIS_PASSWORD}</span> <span class="na">ssl</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">lettuce</span><span class="pi">:</span> <span class="na">pool</span><span class="pi">:</span> <span class="na">max-active</span><span class="pi">:</span> <span class="m">8</span> <span class="na">max-idle</span><span class="pi">:</span> <span class="m">8</span> <span class="na">min-idle</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <h2> STEP 5: Build Docker Images and Push to ECR </h2> <h3> Dockerfile (application) </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> tomcat:10.1-jdk17</span> <span class="k">RUN </span><span class="nb">rm</span> <span class="nt">-rf</span> /usr/local/tomcat/webapps/<span class="k">*</span> <span class="k">COPY</span><span class="s"> target/myapp.war /usr/local/tomcat/webapps/ROOT.war</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">CMD</span><span class="s"> ["catalina.sh", "run"]</span> </code></pre> </div> <h3> Dockerfile.migration (Flyway) </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> flyway/flyway:10-alpine</span> <span class="k">COPY</span><span class="s"> db/migration /flyway/sql</span> <span class="k">COPY</span><span class="s"> flyway.conf /flyway/conf/flyway.conf</span> <span class="k">ENTRYPOINT</span><span class="s"> ["flyway", "migrate"]</span> </code></pre> </div> <p><code>flyway.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">flyway.url</span><span class="p">=</span><span class="s">jdbc:postgresql://${DB_HOST}:5432/${DB_NAME}</span> <span class="py">flyway.user</span><span class="p">=</span><span class="s">${DB_USER}</span> <span class="py">flyway.password</span><span class="p">=</span><span class="s">${DB_PASSWORD}</span> <span class="py">flyway.locations</span><span class="p">=</span><span class="s">filesystem:/flyway/sql</span> <span class="py">flyway.baselineOnMigrate</span><span class="p">=</span><span class="s">true</span> </code></pre> </div> <h3> Push to ECR </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create repositories</span> aws ecr create-repository <span class="nt">--repository-name</span> myapp aws ecr create-repository <span class="nt">--repository-name</span> myapp-migration <span class="c"># Login</span> aws ecr get-login-password <span class="nt">--region</span> ap-northeast-1 <span class="se">\</span> | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> <span class="se">\</span> &lt;account_id&gt;.dkr.ecr.ap-northeast-1.amazonaws.com <span class="c"># Application image</span> docker build <span class="nt">-t</span> myapp <span class="nb">.</span> docker tag myapp:latest <span class="se">\</span> &lt;account_id&gt;.dkr.ecr.ap-northeast-1.amazonaws.com/myapp:latest docker push <span class="se">\</span> &lt;account_id&gt;.dkr.ecr.ap-northeast-1.amazonaws.com/myapp:latest <span class="c"># Migration image</span> docker build <span class="nt">-f</span> Dockerfile.migration <span class="nt">-t</span> myapp-migration <span class="nb">.</span> docker tag myapp-migration:latest <span class="se">\</span> &lt;account_id&gt;.dkr.ecr.ap-northeast-1.amazonaws.com/myapp-migration:latest docker push <span class="se">\</span> &lt;account_id&gt;.dkr.ecr.ap-northeast-1.amazonaws.com/myapp-migration:latest </code></pre> </div> <h2> STEP 6: Create CloudWatch Logs Groups </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws logs create-log-group <span class="nt">--log-group-name</span> /ecs/myapp/migration aws logs create-log-group <span class="nt">--log-group-name</span> /ecs/myapp/tomcat </code></pre> </div> <h2> STEP 7: Create the IAM Execution Role </h2> <p>The ECS agent needs this role to pull images from ECR and fetch secrets from Secrets Manager.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws iam create-role <span class="se">\</span> <span class="nt">--role-name</span> ecsTaskExecutionRole <span class="se">\</span> <span class="nt">--assume-role-policy-document</span> <span class="s1">'{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" }] }'</span> aws iam attach-role-policy <span class="se">\</span> <span class="nt">--role-name</span> ecsTaskExecutionRole <span class="se">\</span> <span class="nt">--policy-arn</span> arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy aws iam attach-role-policy <span class="se">\</span> <span class="nt">--role-name</span> ecsTaskExecutionRole <span class="se">\</span> <span class="nt">--policy-arn</span> arn:aws:iam::aws:policy/SecretsManagerReadWrite </code></pre> </div> <h2> STEP 8: Register the Task Definition </h2> <p>The key point here is <code>dependsOn</code> with <code>condition: SUCCESS</code> — Tomcat will not start until the migration container exits cleanly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"family"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myapp-task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"networkMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awsvpc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requiresCompatibilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">],</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"512"</span><span class="p">,</span><span class="w"> </span><span class="nl">"memory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1024"</span><span class="p">,</span><span class="w"> </span><span class="nl">"executionRoleArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;account_id&gt;:role/ecsTaskExecutionRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"containerDefinitions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"migration"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;account_id&gt;.dkr.ecr.ap-northeast-1.amazonaws.com/myapp-migration:latest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"essential"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"secrets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_USER"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueFrom"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:secretsmanager:ap-northeast-1:&lt;account_id&gt;:secret:myapp/db-user"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_PASSWORD"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueFrom"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:secretsmanager:ap-northeast-1:&lt;account_id&gt;:secret:myapp/db-password"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_HOST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myapp-db.xxxx.ap-northeast-1.rds.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_NAME"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myapp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"logConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"logDriver"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awslogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslogs-group"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ecs/myapp/migration"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ap-northeast-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-stream-prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ecs"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tomcat"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;account_id&gt;.dkr.ecr.ap-northeast-1.amazonaws.com/myapp:latest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"essential"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"dependsOn"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"containerName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"migration"</span><span class="p">,</span><span class="w"> </span><span class="nl">"condition"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SUCCESS"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"portMappings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"containerPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">8080</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_HOST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myapp-db.xxxx.ap-northeast-1.rds.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_NAME"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myapp"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"REDIS_HOST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myapp-redis.xxxx.ng.0001.apne1.cache.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"REDIS_PORT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"6379"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"TZ"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Asia/Tokyo"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"secrets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_USER"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueFrom"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:secretsmanager:ap-northeast-1:&lt;account_id&gt;:secret:myapp/db-user"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DB_PASSWORD"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueFrom"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:secretsmanager:ap-northeast-1:&lt;account_id&gt;:secret:myapp/db-password"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"REDIS_PASSWORD"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueFrom"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:secretsmanager:ap-northeast-1:&lt;account_id&gt;:secret:myapp/redis-password"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"healthCheck"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"CMD-SHELL"</span><span class="p">,</span><span class="w"> </span><span class="s2">"curl -f http://localhost:8080/health || exit 1"</span><span class="p">],</span><span class="w"> </span><span class="nl">"interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"retries"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"startPeriod"</span><span class="p">:</span><span class="w"> </span><span class="mi">90</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"logConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"logDriver"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awslogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslogs-group"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ecs/myapp/tomcat"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ap-northeast-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-stream-prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ecs"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecs register-task-definition <span class="se">\</span> <span class="nt">--cli-input-json</span> file://task-definition.json </code></pre> </div> <blockquote> <p><strong>Note:</strong> Setting <code>essential: false</code> on the migration container means the task keeps running after migration completes. Tomcat uses <code>condition: SUCCESS</code> to wait for a clean exit before starting.</p> </blockquote> <h2> STEP 9: Create the ALB </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create ALB</span> aws elbv2 create-load-balancer <span class="se">\</span> <span class="nt">--name</span> myapp-alb <span class="se">\</span> <span class="nt">--subnets</span> subnet-aaaaaaaa subnet-bbbbbbbb <span class="se">\</span> <span class="nt">--security-groups</span> sg-alb <span class="se">\</span> <span class="nt">--scheme</span> internet-facing <span class="se">\</span> <span class="nt">--type</span> application <span class="c"># Create target group</span> <span class="c"># Important: Fargate requires --target-type ip, not instance</span> aws elbv2 create-target-group <span class="se">\</span> <span class="nt">--name</span> myapp-tg <span class="se">\</span> <span class="nt">--protocol</span> HTTP <span class="se">\</span> <span class="nt">--port</span> 8080 <span class="se">\</span> <span class="nt">--vpc-id</span> vpc-xxxxxxxx <span class="se">\</span> <span class="nt">--target-type</span> ip <span class="se">\</span> <span class="nt">--health-check-path</span> /health <span class="se">\</span> <span class="nt">--health-check-interval-seconds</span> 30 <span class="se">\</span> <span class="nt">--healthy-threshold-count</span> 2 <span class="se">\</span> <span class="nt">--unhealthy-threshold-count</span> 3 <span class="c"># Create listener</span> aws elbv2 create-listener <span class="se">\</span> <span class="nt">--load-balancer-arn</span> &lt;alb-arn&gt; <span class="se">\</span> <span class="nt">--protocol</span> HTTP <span class="se">\</span> <span class="nt">--port</span> 80 <span class="se">\</span> <span class="nt">--default-actions</span> <span class="nv">Type</span><span class="o">=</span>forward,TargetGroupArn<span class="o">=</span>&lt;tg-arn&gt; <span class="c"># Shorten deregistration delay (default 300s is too long)</span> aws elbv2 modify-target-group-attributes <span class="se">\</span> <span class="nt">--target-group-arn</span> &lt;tg-arn&gt; <span class="se">\</span> <span class="nt">--attributes</span> <span class="nv">Key</span><span class="o">=</span>deregistration_delay.timeout_seconds,Value<span class="o">=</span>30 </code></pre> </div> <h2> STEP 10: Create the ECS Cluster and Service </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create cluster</span> aws ecs create-cluster <span class="nt">--cluster-name</span> myapp-cluster <span class="c"># Create service</span> aws ecs create-service <span class="se">\</span> <span class="nt">--cluster</span> myapp-cluster <span class="se">\</span> <span class="nt">--service-name</span> myapp-service <span class="se">\</span> <span class="nt">--task-definition</span> myapp-task <span class="se">\</span> <span class="nt">--desired-count</span> 8 <span class="se">\</span> <span class="nt">--launch-type</span> FARGATE <span class="se">\</span> <span class="nt">--network-configuration</span> <span class="s2">"awsvpcConfiguration={ subnets=[subnet-aaaaaaaa,subnet-bbbbbbbb], securityGroups=[sg-ecs], assignPublicIp=DISABLED }"</span> <span class="se">\</span> <span class="nt">--load-balancers</span> <span class="s2">"targetGroupArn=&lt;tg-arn&gt;,containerName=tomcat,containerPort=8080"</span> <span class="se">\</span> <span class="nt">--deployment-configuration</span> <span class="se">\</span> <span class="s2">"minimumHealthyPercent=50,maximumPercent=200,deploymentCircuitBreaker={enable=true,rollback=true}"</span> </code></pre> </div> <p>Enabling <code>deploymentCircuitBreaker</code> means ECS automatically rolls back to the previous revision if a deployment fails repeatedly.</p> <h2> STEP 11: Configure Auto Scaling </h2> <p>Auto Scaling handles traffic spikes without manual intervention.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws application-autoscaling register-scalable-target <span class="se">\</span> <span class="nt">--service-namespace</span> ecs <span class="se">\</span> <span class="nt">--resource-id</span> service/myapp-cluster/myapp-service <span class="se">\</span> <span class="nt">--scalable-dimension</span> ecs:service:DesiredCount <span class="se">\</span> <span class="nt">--min-capacity</span> 4 <span class="se">\</span> <span class="nt">--max-capacity</span> 12 aws application-autoscaling put-scaling-policy <span class="se">\</span> <span class="nt">--policy-name</span> cpu-tracking <span class="se">\</span> <span class="nt">--service-namespace</span> ecs <span class="se">\</span> <span class="nt">--resource-id</span> service/myapp-cluster/myapp-service <span class="se">\</span> <span class="nt">--scalable-dimension</span> ecs:service:DesiredCount <span class="se">\</span> <span class="nt">--policy-type</span> TargetTrackingScaling <span class="se">\</span> <span class="nt">--target-tracking-scaling-policy-configuration</span> <span class="s1">'{ "TargetValue": 70.0, "PredefinedMetricSpecification": { "PredefinedMetricType": "ECSServiceAverageCPUUtilization" }, "ScaleOutCooldown": 60, "ScaleInCooldown": 300 }'</span> </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Value</th> <th>Reason</th> </tr> </thead> <tbody> <tr> <td>min-capacity</td> <td>4</td> <td>Baseline task count</td> </tr> <tr> <td>max-capacity</td> <td>12</td> <td>Peak capacity</td> </tr> <tr> <td>TargetValue</td> <td>70%</td> <td>Scale out when CPU exceeds 70%</td> </tr> <tr> <td>ScaleOutCooldown</td> <td>60s</td> <td>React quickly to load spikes</td> </tr> <tr> <td>ScaleInCooldown</td> <td>300s</td> <td>Prevent aggressive scale-in</td> </tr> </tbody> </table></div> <h2> Verify the Deployment </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check running tasks</span> aws ecs list-tasks <span class="nt">--cluster</span> myapp-cluster <span class="c"># Check service status</span> aws ecs describe-services <span class="se">\</span> <span class="nt">--cluster</span> myapp-cluster <span class="se">\</span> <span class="nt">--services</span> myapp-service <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'services[0].{Status:status,Running:runningCount,Desired:desiredCount}'</span> <span class="c"># Get the ALB DNS name and open it in a browser</span> aws elbv2 describe-load-balancers <span class="se">\</span> <span class="nt">--names</span> myapp-alb <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'LoadBalancers[0].DNSName'</span> </code></pre> </div> <h2> Common Pitfalls </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Task exits immediately after start</td> <td>Application startup error</td> <td>Check CloudWatch Logs for the stack trace</td> </tr> <tr> <td>Health check never passes</td> <td>Tomcat takes too long to start</td> <td>Set <code>startPeriod</code> to 90–120 seconds</td> </tr> <tr> <td>Cannot pull image from ECR</td> <td>Missing permissions on <code>ecsTaskExecutionRole</code> </td> <td>Attach <code>AmazonECSTaskExecutionRolePolicy</code> </td> </tr> <tr> <td>Cannot connect to Redis</td> <td>Security group misconfiguration</td> <td>Verify sg-ecs → sg-redis on port 6379</td> </tr> <tr> <td>Tomcat does not start after migration</td> <td>Missing <code>dependsOn</code> </td> <td>Add <code>condition: SUCCESS</code> to the task definition</td> </tr> <tr> <td>ALB returns 502</td> <td>Target type set to <code>instance</code> </td> <td>Change to <code>ip</code> </td> </tr> </tbody> </table></div> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>What you do</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Create security groups</td> </tr> <tr> <td>2</td> <td>Store credentials in Secrets Manager</td> </tr> <tr> <td>3</td> <td>Provision RDS</td> </tr> <tr> <td>4</td> <td>Provision ElastiCache</td> </tr> <tr> <td>5</td> <td>Build images and push to ECR</td> </tr> <tr> <td>6</td> <td>Create CloudWatch Logs groups</td> </tr> <tr> <td>7</td> <td>Create IAM execution role</td> </tr> <tr> <td>8</td> <td>Register task definition</td> </tr> <tr> <td>9</td> <td>Create ALB</td> </tr> <tr> <td>10</td> <td>Create ECS cluster and service</td> </tr> <tr> <td>11</td> <td>Configure Auto Scaling</td> </tr> </tbody> </table></div> <p>Fargate eliminates server management and hands off deployment and scaling to AWS. Setting up session management, DB migration, and Auto Scaling from the start dramatically reduces rework later.</p> aws ecs fargate java Production-Ready AWS 3-Tier Architecture with Terraform (SSM & Secrets Manager) nao1515 Tue, 05 May 2026 14:56:34 +0000 https://dev.to/1515_1c22035d85e1ae3d/production-ready-aws-3-tier-architecture-with-terraform-ssm-secrets-manager-5e86 https://dev.to/1515_1c22035d85e1ae3d/production-ready-aws-3-tier-architecture-with-terraform-ssm-secrets-manager-5e86 <h2> Introduction </h2> <p>Building a "VPC-EC2-RDS" stack is a common task, but making it <strong>production-ready</strong> requires more than just resource creation. In this post, I will share a modular Terraform setup that implements:</p> <ol> <li> <strong>Modular Design</strong>: Reusable code for VPC, EC2, and RDS.</li> <li> <strong>Bastion-less Access</strong>: Using AWS Systems Manager (SSM) instead of SSH.</li> <li> <strong>Secret Management</strong>: Managing RDS passwords via AWS Secrets Manager.</li> </ol> <h3> Project Structure </h3> <p>We follow the standard environment/module separation to ensure scalability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform/ ├── envs/ │ └── dev/ # Environment-specific configuration │ ├── main.tf # Root module calling local modules │ └── terraform.tfvars └── modules/ ├── vpc/ # Networking &amp; Security Groups ├── ec2/ # IAM Roles &amp; SSM-ready Instances └── rds/ # Private Database Instances </code></pre> </div> <h3> Key Features </h3> <ul> <li>Networking (modules/vpc)</li> </ul> <p>We define a VPC with both public and private subnets. The RDS instance stays in the private subnet, while the EC2 is also kept private for maximum security, relying on the NAT Gateway for outbound traffic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">-vpc"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">-web-sg"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"db"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">-db-sg"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li>modules/ec2: Bastion-less Access via SSM</li> </ul> <p>Build secure EC2 instances by closing all SSH ports and leveraging AWS Systems Manager (SSM) for remote access.</p> <p>IAM Instance Profile for SSM Permissions<br> Instead of managing SSH keys, we attach an IAM role with the AmazonSSMManagedInstanceCore policy. This allows secure terminal access through the AWS Console or CLI.</p> <p>Deployment in Private Subnets<br> The instances are placed in private subnets with no public IP addresses, significantly reducing the attack surface by making them inaccessible from the open internet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ami_id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">security_group_ids</span> <span class="nx">iam_instance_profile</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">ssm_profile</span><span class="p">.</span><span class="nx">name</span> <span class="nx">metadata_options</span> <span class="p">{</span> <span class="nx">http_endpoint</span> <span class="p">=</span> <span class="s2">"enabled"</span> <span class="nx">http_tokens</span> <span class="p">=</span> <span class="s2">"required"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">-ec2"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ssm_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">-ssm-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ec2.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ssm_managed"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ssm_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"</span> <span class="p">}</span> </code></pre> </div> <ul> <li>modules/rds: Managed Database Layer</li> </ul> <p>We deploy a production-grade PostgreSQL instance with a focus on maximum security and automated credential management.</p> <p>Private Isolation from External Traffic<br> The database is placed in a dedicated private subnet with publicly_accessible = false. All direct ingress from the internet is strictly blocked, ensuring your data remains isolated.</p> <p>Dynamic Password Injection via Variables<br> To avoid hardcoding sensitive information, the database password is parameterized. This allows for dynamic injection from higher-level environments or secret management services (like AWS Secrets Manager), ensuring a secure CI/CD pipeline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_db_subnet_group"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">-rds-subnet-group"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subnet_ids</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">identifier</span> <span class="nx">engine</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">engine</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">engine_version</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">instance_class</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">db_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">database_name</span> <span class="nx">username</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">master_username</span> <span class="nx">password</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">master_password</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_db_subnet_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">security_group_ids</span> <span class="nx">publicly_accessible</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <ul> <li>envs/dev: Environment-Specific Configuration &amp; Secret Management</li> </ul> <p>In this directory, we integrate the individual modules to build a complete "Development" environment while ensuring that sensitive information like passwords is handled securely.</p> <p>Secure RDS Password Retrieval via AWS Secrets Manager<br> Instead of hardcoding database credentials, we dynamically fetch the RDS master password from AWS Secrets Manager at runtime.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_secretsmanager_secret"</span> <span class="s2">"rds_password"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">/rds-password"</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_secretsmanager_secret_version"</span> <span class="s2">"rds_password"</span> <span class="p">{</span> <span class="nx">secret_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">rds_password</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../modules/vpc"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="c1"># ...</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"rds"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../modules/rds"</span> <span class="nx">master_password</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_secretsmanager_secret_version</span><span class="p">.</span><span class="nx">rds_password</span><span class="p">.</span><span class="nx">secret_string</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">db_sg_id</span><span class="p">]</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"ec2"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../modules/ec2"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">web_sg_id</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <ul> <li>Conclusion: Aiming for Production-Ready Terraform Architecture</li> </ul> <p>In this walkthrough, we didn't just focus on turning resources into code. We prioritized the core pillars required in real-world operations: Maintainability, Security, and Reusability.</p> <p>Key Benefits of This Architecture<br> Environment Portability<br> Need a production environment? Just create a new envs/prod/ directory. You can replicate this entire stack for production in minutes.</p> <p>Moving Beyond Bastion Hosts<br> By leveraging AWS Systems Manager (SSM), we've eliminated the security risk of leaving SSH ports open to the world.</p> <p>Proper Secret Management<br> With AWS Secrets Manager, sensitive passwords are decoupled from your codebase, ensuring they never leak into your Git history.</p> <p>Infrastructure as Code (IaC) with Terraform is a powerful weapon that drastically reduces manual engineering hours and prevents human error. I encourage you to take this template and customize it to fit the specific needs of your own projects.</p> architecture aws infrastructure terraform Connect to RDS (PostgreSQL) in a Private Subnet via AWS Client VPN nao1515 Sun, 03 May 2026 17:09:53 +0000 https://dev.to/1515_1c22035d85e1ae3d/connect-to-rds-postgresql-in-a-private-subnet-via-aws-client-vpn-346o https://dev.to/1515_1c22035d85e1ae3d/connect-to-rds-postgresql-in-a-private-subnet-via-aws-client-vpn-346o <h2> Introduction </h2> <p>Placing RDS in a <strong>private subnet</strong> protects it from unauthorized external access — but it also means you can no longer connect directly from your developer machine.</p> <p>This article walks you through a step-by-step guide to securely connect to a private-subnet RDS (PostgreSQL) instance using <strong>AWS Client VPN</strong>.</p> <h3> Architecture Overview </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer PC │ │ UDP 443 (TLS / Mutual Certificate Authentication) ▼ Client VPN Endpoint (Public Subnet) │ │ Authorization Rule + Route Table ▼ Private Subnet │ │ SG: Port 5432 allowed from Client CIDR ▼ Amazon RDS (PostgreSQL) </code></pre> </div> <h2> Prerequisites </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Item</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>VPC CIDR</td> <td><code>10.0.0.0/16</code></td> </tr> <tr> <td>Public Subnet</td> <td> <code>10.0.0.0/24</code> (for VPN association)</td> </tr> <tr> <td>Private Subnet</td> <td> <code>10.0.1.0/24</code> (for RDS)</td> </tr> <tr> <td>Client CIDR</td> <td> <code>10.100.0.0/22</code> (IP range assigned to VPN clients)</td> </tr> <tr> <td>DB Engine</td> <td>PostgreSQL</td> </tr> <tr> <td>Port</td> <td>5432</td> </tr> </tbody> </table></div> <h2> Step 1: Create Certificates and Import to ACM </h2> <p>Generate server and client certificates using Easy-RSA.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/OpenVPN/easy-rsa.git <span class="nb">cd </span>easy-rsa/easyrsa3 ./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa build-server-full server nopass ./easyrsa build-client-full client1 nopass </code></pre> </div> <p>Import the generated certificates into ACM.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Server certificate</span> aws acm import-certificate <span class="se">\</span> <span class="nt">--certificate</span> fileb://pki/issued/server.crt <span class="se">\</span> <span class="nt">--private-key</span> fileb://pki/private/server.key <span class="se">\</span> <span class="nt">--certificate-chain</span> fileb://pki/ca.crt <span class="se">\</span> <span class="nt">--region</span> ap-northeast-1 <span class="c"># Client certificate</span> aws acm import-certificate <span class="se">\</span> <span class="nt">--certificate</span> fileb://pki/issued/client1.crt <span class="se">\</span> <span class="nt">--private-key</span> fileb://pki/private/client1.key <span class="se">\</span> <span class="nt">--certificate-chain</span> fileb://pki/ca.crt <span class="se">\</span> <span class="nt">--region</span> ap-northeast-1 </code></pre> </div> <blockquote> <p><strong>Important</strong>: The ACM region must match the region where you create the Client VPN endpoint.</p> </blockquote> <h2> Step 2: Create the Client VPN Endpoint </h2> <p>Go to <strong>AWS Management Console → VPC → Client VPN Endpoints → Create</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Client IPv4 CIDR</td> <td><code>10.100.0.0/22</code></td> </tr> <tr> <td>Server Certificate ARN</td> <td>Server certificate imported in ACM</td> </tr> <tr> <td>Authentication Type</td> <td>Mutual Authentication (client certificate)</td> </tr> <tr> <td>Client Certificate ARN</td> <td>Client certificate imported in ACM</td> </tr> <tr> <td>DNS Server</td> <td> <code>10.0.0.2</code> (VPC DNS)</td> </tr> <tr> <td>Protocol</td> <td>UDP</td> </tr> <tr> <td>Split Tunnel</td> <td><strong>Enabled</strong></td> </tr> </tbody> </table></div> <blockquote> <p><strong>Why enable Split Tunnel?</strong> Only traffic destined for the VPC is routed through the VPN. This avoids impacting regular internet traffic and improves performance.</p> </blockquote> <h2> Step 3: Associate a Target Network </h2> <p><strong>Client VPN Endpoint → Target Network Associations → Associate</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Subnet to associate: Public Subnet (10.0.0.0/24) </code></pre> </div> <h2> Step 4: Add Authorization Rules and Routes </h2> <h3> Authorization Rule </h3> <p><strong>Client VPN Endpoint → Authorization Rules → Add Authorization Rule</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Destination CIDR</td> <td> <code>10.0.1.0/24</code> (RDS subnet)</td> </tr> <tr> <td>Grant access to</td> <td>All users</td> </tr> </tbody> </table></div> <h3> Add Route </h3> <p><strong>Client VPN Endpoint → Route Table → Create Route</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Route Destination</td> <td><code>10.0.1.0/24</code></td> </tr> <tr> <td>Target Subnet</td> <td>The subnet associated in Step 3</td> </tr> </tbody> </table></div> <h2> Step 5: Configure Security Groups </h2> <h3> Client VPN Endpoint SG </h3> <blockquote> <p><strong>No inbound rules needed for the Client VPN endpoint SG.</strong></p> <p>Because Client VPN is a managed AWS service, you do <strong>not</strong> need to add an inbound rule for UDP 443 to its security group. Only outbound rules are required.</p> </blockquote> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Direction</th> <th>Protocol</th> <th>Port</th> <th>Target</th> </tr> </thead> <tbody> <tr> <td>Outbound</td> <td>All</td> <td>All</td> <td><code>0.0.0.0/0</code></td> </tr> </tbody> </table></div> <h3> RDS Security Group (Critical) </h3> <p>You <strong>must</strong> allow inbound traffic from the Client CIDR to the RDS security group.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Direction</th> <th>Protocol</th> <th>Port</th> <th>Source</th> </tr> </thead> <tbody> <tr> <td>Inbound</td> <td>TCP</td> <td><strong>5432</strong></td> <td> <code>10.100.0.0/22</code> (Client CIDR)</td> </tr> </tbody> </table></div> <blockquote> <p><strong>This is the most important step.</strong> Without allowing port 5432 from the Client CIDR in the RDS security group, the connection will never succeed — no matter how correctly the VPN is configured.</p> </blockquote> <h2> Step 6: Prepare the Client Configuration File </h2> <h3> Download the .ovpn File </h3> <p><strong>Client VPN Endpoint → Download Client Configuration</strong></p> <h3> Append Certificate Information </h3> <p>Add the client certificate and private key to the end of the downloaded <code>.ovpn</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View certificate contents</span> <span class="nb">cat </span>pki/issued/client1.crt <span class="nb">cat </span>pki/private/client1.key </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code># Append to the end of the .ovpn file <span class="nt">&lt;cert&gt;</span> -----BEGIN CERTIFICATE----- (Paste the contents of client1.crt here) -----END CERTIFICATE----- <span class="nt">&lt;/cert&gt;</span> <span class="nt">&lt;key&gt;</span> -----BEGIN PRIVATE KEY----- (Paste the contents of client1.key here) -----END PRIVATE KEY----- <span class="nt">&lt;/key&gt;</span> </code></pre> </div> <h2> Step 7: Connect via VPN and Verify RDS Access </h2> <h3> Connect to the VPN </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Using CLI</span> <span class="nb">sudo </span>openvpn <span class="nt">--config</span> downloaded-client-config.ovpn <span class="c"># Or use the AWS VPN Client (GUI)</span> </code></pre> </div> <h3> Verify Connectivity </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check port reachability</span> nc <span class="nt">-zv</span> mydb.xxxxxx.ap-northeast-1.rds.amazonaws.com 5432 <span class="c"># Connection to mydb... 5432 port [tcp/postgresql] succeeded!</span> </code></pre> </div> <h3> Connect to PostgreSQL </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>psql <span class="se">\</span> <span class="nt">-h</span> mydb.xxxxxx.ap-northeast-1.rds.amazonaws.com <span class="se">\</span> <span class="nt">-U</span> postgres <span class="se">\</span> <span class="nt">-d</span> mydb <span class="se">\</span> <span class="nt">-p</span> 5432 </code></pre> </div> <p>If the connection is successful, you'll see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">psql (15.x) SSL connection (protocol: TLSv1.3, ...) Type "help" for help. </span><span class="gp">mydb=#</span><span class="w"> </span></code></pre> </div> <h2> Verify VPC DNS Settings </h2> <p>RDS endpoint hostname resolution requires proper VPC DNS configuration.</p> <p><strong>VPC → Settings</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>DNS Resolution</td> <td><strong>Enabled</strong></td> </tr> <tr> <td>DNS Hostnames</td> <td><strong>Enabled</strong></td> </tr> </tbody> </table></div> <p>Set the VPC DNS address (e.g., <code>10.0.0.2</code>) as the DNS server in the Client VPN endpoint settings so that RDS endpoint names resolve correctly from the client.</p> <h2> Troubleshooting </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Symptom</th> <th>What to Check</th> </tr> </thead> <tbody> <tr> <td>Connection times out</td> <td>Is port 5432 from the Client CIDR allowed in the RDS SG inbound rules?</td> </tr> <tr> <td>DNS resolution fails</td> <td>Is the VPC DNS (subnet base + 2) set as the DNS server on the VPN endpoint?</td> </tr> <tr> <td>VPN itself won't connect</td> <td>Does the ACM certificate region match the Client VPN endpoint region?</td> </tr> <tr> <td>VPN connected but can't reach RDS</td> <td>With Split Tunnel enabled, is <code>10.0.1.0/24</code> added to the route table?</td> </tr> <tr> <td>Authorization rule error</td> <td>Is the Client CIDR <code>10.100.0.0/22</code> included in routes and authorization rules?</td> </tr> </tbody> </table></div> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Configuration</th> <th>Key Point</th> </tr> </thead> <tbody> <tr> <td>Client VPN Endpoint SG</td> <td>Outbound only</td> <td>No inbound rules needed</td> </tr> <tr> <td>RDS SG</td> <td>Inbound port 5432</td> <td>Source = Client CIDR</td> </tr> <tr> <td>Authorization Rule</td> <td>Allow private subnet CIDR</td> <td>—</td> </tr> <tr> <td>Route Table</td> <td>Add private subnet CIDR</td> <td>—</td> </tr> <tr> <td>Split Tunnel</td> <td>Enabled</td> <td>Only VPC traffic goes through VPN</td> </tr> </tbody> </table></div> <p>A common misconception is that you need to open inbound UDP 443 on the Client VPN endpoint's security group — <strong>you don't</strong>. What matters is allowing the Client CIDR on the destination resource (RDS) security group.</p> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html" rel="noopener noreferrer">AWS Docs: What is AWS Client VPN?</a></li> <li><a href="https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html" rel="noopener noreferrer">AWS Docs: Client Authentication</a></li> <li><a href="https://github.com/OpenVPN/easy-rsa" rel="noopener noreferrer">Easy-RSA GitHub</a></li> </ul> aws networking postgres tutorial aws nao1515 Sun, 03 May 2026 11:41:56 +0000 https://dev.to/1515_1c22035d85e1ae3d/aws-21ao https://dev.to/1515_1c22035d85e1ae3d/aws-21ao