DEV Community: Fortress Abioye

That Beginner AWS Project You Can Practice With

Fortress Abioye — Thu, 30 Jan 2025 13:08:51 +0000

In this article, we will implement a highly-available and architecture-focused project on AWS, while adhering to best practices.
This is good for you if you want to build or brush up on your skills and knowledge of AWS, are looking to practice or implement a beginner-level project and understand how AWS services are used and interact with each other.

ARCHITECTURE OVERVIEW

This architecture has a presentation layer, an application layer and a database layer. The application layer comprising the application will be hosted on the EC2 instance and will interact with the database layer which is used to host, store and retrieve data. The presentation layer is also hosted on EC2 instances within public subnets. Overall, this architecture covers compute resources, networking and database components as seen in the diagram below:

Let's dive straight into implementation:

IMPLEMENTATION STEPS

On the AWS Console, start by creating a VPC. Use the 'VPC and more' option to create other networking components (subnets, route tables, internet and NAT gateway) alongside.

Create public and private subnets in 2 different Availability Zones, according to our architecture diagram. The image below shows a guide and details to set it up:

This automatically creates the subnets, routes and IG and NAT gateways along with the VPC.

Now we need to configure the Internet Gateway and NAT Gateway. For the public subnets' route tables, add a route to the Internet Gateway for 0.0.0.0/0 (Internet access).

For the private subnet route table, add a route to the NAT Gateway for 0.0.0.0/0. This will provide internet access for instances in private subnets without exposing them directly to the public internet.

Create Security Groups for both the public and private subnets.

In the public subnet security group, allow inbound traffic on port 22 (SSH) for your IP address and the required application ports (e.g., HTTP, HTTPS).

In the private subnet security group, allow inbound traffic on the required application ports from the public subnets so they can have access.

Launch Auto-Scaling Groups and EC2 Instances.

To create a highly available structure, we would start by creating 2 Auto-Scaling Groups (ASGs), one each for public and private subnets and would cover both availability zones.

Create a launch template (which will contain the settings you want your instances in this ASG to all have) if you don't have one.

After creating the launch template, go back to the ASG to create the first one. Choose the desired template, VPC and select the public subnets we created across both availability zones. Note: You can select more than one subnet/availability zone in an ASG.

Set a desired capacity (the number of instances you desire your ASG to constantly have) and scaling limits (to determine how your ASG can scale). You can add a load balancer with the ASG if needed. Other details are optional and can be left out for this demo.
Create the second Auto-Scaling Group for 2 private subnets across the 2 availability zones. After creating both, you should have something like this:

And your instances:

Create an RDS Instance in the private subnet

On the AWS Console, under RDS, start by creating a subnet group and select the remaining private subnets across both availability zones. The subnet group determines which subnets and IP ranges the database would use. The RDS instance should be placed in private subnets to enhance security and isolate them from the public internet.

After the subnet group is created, create the DB and select a suitable database option. It is better to use Standard Create to set configurations according to your environment's requirements.

Choose an instance configuration and template according to your needs and input username and password credentials.

You can choose the 'Do not connect an EC2 compute resource' as that can be done manually from the console, under Instance Actions. It is essential to use the same VPC you used for your EC2, and then select the subnet group you created earlier, which contains the private subnets. We are keeping the database highly secure so do not allow public access.

For the firewall, choose the security group that allows appropriate access to your database. Your RDS instance should have a security group that allows inbound connections on the database port (e.g., 3306 for MySQL, 5432 for PostgreSQL) from the security group used by your EC2 instances. It also must not be open to the public (0.0.0.0/0). Also, the security group associated with your EC2 instances must allow outbound connections on the database port to the RDS security group.

The architecture is all set and now you can host an application, test and monitor it with ease.

With this setup, we have ensured security with our public and private subnets, NAT gateway and security groups, high availability with the multiple availability zones, and scalability with our auto-scaling group.

CONCLUSION

We have built a secure, robust and scalable architecture, which is according to best practices and can adapt to changing needs and requirements.

This article serves as an overview, providing implementation steps according to the architecture above, and this can be tweaked for specific application requirements and security aspects.

Follow me for more articles like this and connect with me on LinkedIn!

A Simple Guide to AWS Monitoring Tools

Fortress Abioye — Wed, 15 Jan 2025 08:59:10 +0000

Have you ever wondered about AWS Monitoring? What tools make up this monitoring suite? AWS provides its native monitoring tools that range from the most basic to advanced applications. There is quite an extensive library of monitoring tools for infrastructure and application performance covering health and resource utilization. This article will discuss every significant tool in AWS monitoring and also give examples of their real-world applications.

1. Amazon CloudWatch:

CloudWatch can be said to be the core of AWS monitoring. It is the central monitoring and observability service for AWS. It collects and tracks metrics, logs, and events from your AWS resources and applications.

Key Features of Amazon CloudWatch:
a. Metrics: With metrics, you can observe multiple performance indicators of your resources. This covers CPU utilization, memory usage, disk I/Os, network traffic, and many other factors that provide insights
b. Logs: CloudWatch provides logs for applications, systems, and many AWS services.
c. Events: CloudWatch Events, now known as EventBridge captures events of changes in resources, applications or services. These events can be used for various purposes including being routed to third-party applications for analysis and response.
d. Alarms: This is for creating alarms that notify or even perform actions when certain thresholds or conditions are met with resources, services and applications.
e. Dashboards: To view, analyze, and probe your monitoring data with customizable dashboards.

Real-World Application: If you have a server running on the cloud, CloudWatch can serve you in monitoring performance metrics such as its CPU Usage and memory consumption. You can also set up conditions in Alarms so that when they are met, are either notified or certain actions are taken. E.g. if CPU Utilization is < 20%, stop the EC2 instance. Logs can be used to analyze error messages and potential threats, and a dashboard helps with visualization and easier understanding.

2. AWS CloudTrail:

This AWS service helps with audit, compliance and governance. Your users or your applications generate API calls to AWS, and CloudTrail records every action in an audit trail showing these calls.

Key Features of AWS CloudTrail:
a. API Call Logging: It logs every detail about API calls made to your AWS account.
b. Compliance and Auditing: Assists you in understanding compliance-related requirements and performing security investigations by analyzing the history of API call logs.
c. Governance: Enhances governance through monitoring of illegal user activity and unauthorized access through trails.
d. Integration: CloudTrail provides capabilities to integrate with third-party and other AWS services such as CloudWatch, which enables actions to be taken based on events of API calls.

Real-World Application: Let's say you host an application on AWS, all API calls to your AWS account will be constantly recorded by CloudTrail. This will provide an audit trail of all actions, from changes to security groups to IAM user changes and even the launching of resources.

3. VPC Flow Logs

This captures information associated with the traffic flowing in your associated network interfaces over the IP interface into your VPC.

Key Features of VPC Flow Logs:
a. Network Traffic Analytics: It provides useful information for understanding traffic patterns on the network, ascertaining security threats, and troubleshooting connectivity issues.
b. Security Analysis: Monitors for suspicious network activity such as port scanning or DDoS attacks.
c. Integration: VPC flow logs can be integrated with other services and published for further monitoring, observation and analysis.

Real-World Application: If you are hosting a web application on AWS using some EC2 servers within your VPC, this service shows you your traffic patterns, helps you see network performance issues, identify bottlenecks and even see potential security threats in your network.

4. AWS X-Ray

This is an application performance monitoring tool that gives you inside depth into an application's performance and behaviour.

Key Features of AWS X-Ray:
a. Tracking: Tracks requests through the various components of your application (microservices).
b. Performance Monitoring: It monitors for and detects bottlenecks in your application's internal performance.
c. Debugging and Troubleshooting: It can be used for application error diagnosis and troubleshooting.
d. Integration: As with the other services, you can integrate this with different application frameworks, and services.

Real-World Application: If you have an application running on AWS, especially one that is based on microservices, X-Ray helps you understand your architecture, interactions with other services and performance issues. For example, if a request to your application is taking too long, X-Ray can identify the source or service causing it.

5. AWS Config

As the name suggests, Config constantly monitors all the configurations of your AWS resources and automatically evaluates them for compliance. It also assesses the relationship between your AWS resources and takes account of changes over time.

Key Features of AWS Config:
a. Configuration Tracking: It registers the configuration of your AWS resources continuously.
b. Compliance Assessment: It assesses your resources for what could be deviations from your desired configurations and best practices.
c. Security Audit: It monitors changes to your AWS resources over time and helps in identifying security vulnerabilities.
d. Remediation: It allows you to set up manual or automated remediation actions when uncompliant configurations are detected.

Real-World Application: If you or your company has strict security rules for resources in AWS, e.g that no assigned security group should contain "Allow all" inbound rules, if AWS Config detects that a security group contains this rule, it can alert or even immediately remediate it based on what you desire.

CONCLUSION

We have looked at the suite of monitoring tools AWS provides, and these can be used for a wide range of applications way more than the few we have discussed here. The effective use of these AWS monitoring tools will give you a lot of insight into how your AWS resources and applications perform as well as their health status, and with this, you can be proactive in anticipating and resolving issues and improving overall efficiency and performance.