DEV Community: Girija

3 Tier Architecture

Girija — Fri, 24 Jan 2025 16:00:42 +0000

Part 0:Architecture

Table of contents

Architecture
Download Code from Github Repository
S3 Bucket Creation
IAM EC2 Instance Role Creation

1.Architecture

2.First download the code from the GitHub

3.Create S3 bucket

4.IAM role

Part 1:Networking and Security

Table of contents

VPC Creation
Subnet Creation
Internet Connectivity
NAT Gateway
Routing Configuration
Security Groups

1.Create VPC

2.Create subnets(6)

3.Create Internet gateway and attach to VPC

4.Create NAT gateway

5.Route tables
i)Create route table for public subnet

ii)Create route table for private subnet(two for AZ-1,AZ-2)

6.Security Group

1.external-lb

2.ec2-public(web tier)

3.internal-lb

4.ec2-private(app tier)

5.DB

Part 2: Database Deployement(RDS)

Table of contents

Subnet Groups
Database Deployement

1.DB subnet group

2.Database

Clean up

1.

2.

3.

4.

Architecture diagram

Girija — Fri, 24 Jan 2025 15:59:38 +0000

Architecture diagram for the web application.

Building a Robust and Secure AWS Architecture for Your Web Application

Designing a web application that is both scalable and secure is crucial for modern businesses. With AWS, you can craft a powerful architecture that balances performance, availability, and security. In this blog, we’ll walk through a reference architecture that exemplifies these principles.

Overview of the Architecture

This architecture leverages the best practices of AWS cloud services to build a highly available, secure, and scalable web application. Here’s a breakdown of its components and how they come together to deliver a seamless user experience:

1. The Foundation: Virtual Private Cloud (VPC)

At the heart of this architecture is an AWS Virtual Private Cloud (VPC). The VPC provides an isolated network environment for the application, segmented into:

Public Subnets: Hosting internet-facing resources like the Application Load Balancer (ALB) and NAT Gateways.
Private Subnets: Securing critical application servers, such as web servers, from direct internet exposure.
This segmentation ensures secure communication between components while adhering to the principle of least privilege.

2. Redundancy Across Availability Zones

To ensure fault tolerance and minimize downtime, the architecture spans two Availability Zones (AZs). Each AZ houses its own set of public and private subnets, providing high availability and resilience against failures.

3. Scalability with Application Load Balancer (ALB)

The ALB sits in the public subnets, acting as the gateway for incoming traffic. It intelligently routes requests to the web servers in the private subnets, ensuring optimal performance.

Additionally, it adds an extra layer of security by isolating backend servers from direct internet access.

4. Secure Outbound Internet Access with NAT Gateways

Private subnets rely on NAT Gateways in the public subnets to connect to the internet for tasks like fetching updates or accessing external APIs. This setup avoids exposing private resources directly to the internet, maintaining a strong security posture.

5. Seamless Integration with Amazon S3 via VPC Endpoint

The architecture integrates with Amazon S3 using a VPC Endpoint. This allows private subnet resources to access S3 without traversing the public internet, reducing latency and improving security.

6. Comprehensive Security with Security Groups

Security Groups act as virtual firewalls, controlling inbound and outbound traffic to each component. For example:

The ALB’s Security Group ensures only HTTP/HTTPS traffic is allowed from the internet.
The web servers’ Security Group only accepts traffic from the ALB, adding an additional layer of protection.

7. Designed for Scalability and Performance

This architecture is inherently scalable:

Elastic Load Balancing ensures even distribution of traffic across servers, scaling automatically as demand increases.
Redundant resources in multiple AZs ensure high availability.

8. The Role of Internet Gateway

An Internet Gateway connects the VPC to the internet, enabling public-facing resources like the ALB to communicate with end-users worldwide.

Why This Architecture Stands Out

This AWS architecture combines best practices for security, high availability, and performance:

Security: Private subnets, NAT Gateways, Security Groups, and VPC Endpoints ensure a robust security layer.
High Availability: The use of multiple AZs and load balancing guarantees uptime, even in case of failures.
Scalability: The architecture scales seamlessly as your user base grows, making it suitable for applications of any size.

Conclusion

This AWS architecture is a shining example of how to design a cloud-based application that is both future-proof and secure. By using services like VPC, ALB, NAT Gateways, and S3 VPC Endpoints, you ensure a smooth, reliable, and safe experience for your users.

If you’re looking to build or optimize your application on AWS, this architecture provides a rock-solid foundation to start with.

AWS Certificate Manager (ACM)

Girija — Wed, 22 Jan 2025 18:26:25 +0000

1.Introduction
AWS Certificate Manager (ACM) is a fully managed service provided by AWS that allows you to easily provision, manage, and deploy SSL/TLS certificates for your AWS-based applications and services. ACM makes it easier to handle the lifecycle of certificates, including issuing, renewing, and rotating them, without requiring you to manually manage any of the underlying infrastructure.

ACM integrates seamlessly with other AWS services, such as Elastic Load Balancers (ELBs), Amazon CloudFront, and Amazon API Gateway, to simplify certificate deployment for your web applications. It’s designed to help you improve security while reducing the operational overhead associated with certificate management.

2.Key Features
1. Free Public SSL/TLS Certificates
ACM provides free public certificates, reducing costs associated with purchasing certificates from third-party vendors.
2. Automatic Certificate Renewal
Forget manual renewals—ACM ensures certificates are renewed automatically, preventing downtime due to expired certificates.
3. Seamless Integration with AWS Services
ACM integrates easily with Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, and AWS Elastic Beanstalk, simplifying deployment.
4. Centralized Certificate Management
Manage and monitor all your SSL/TLS certificates from a single, user-friendly dashboard.
5. Support for Modern Encryption Standards
ACM issues certificates using industry-leading encryption standards to protect data during transmission.

Technical Specifications:
Public certificates support wildcard and multi-domain (SAN) configurations.
Regional and global availability for certificate deployment.
Private certificates available via ACM Private CA.

3.Use Cases
1. Securing Websites and Applications
Example: A retail business hosting its e-commerce platform on AWS can use ACM to secure its website with HTTPS, ensuring customer data like credit card information remains protected.
2. Enabling Secure APIs
Example: An organization building APIs using Amazon API Gateway can secure REST or GraphQL endpoints with ACM certificates.
Example: An organization building APIs using Amazon API Gateway can secure REST or GraphQL endpoints with ACM certificates.
3. Enhancing Content Delivery
Example: A media company delivering video content through Amazon CloudFront can use ACM to encrypt data in transit, improving security and performance.

Multi-Domain and Wildcard Certificates Example: A SaaS provider hosting multiple customer subdomains (e.g., customer1.example.com, customer2.example.com) can use ACM wildcard certificates to secure all subdomains with a single certificate.

Pricing Model
Public Certificates
Free of charge.
Includes automated renewals.
Private Certificates
Pricing depends on the number of certificates issued and the usage of ACM Private CA.
Example costs:
ACM Private CA pricing starts at $400 per CA per month.
$0.75 per private certificate per month.
Example:
If you're securing a website using a public ACM certificate on Amazon CloudFront, you'll pay only for CloudFront usage (e.g., data transfer fees) but nothing for the certificate itself.

Comparison with Similar Services
Let's Encrypt
Pros: Free SSL/TLS certificates, widely used.
Cons: Requires manual or scripted renewals, while ACM automates this.
DigiCert
Pros: Offers advanced certificates, such as Extended Validation (EV).
Cons: Higher costs compared to ACM\u2019s free public certificates.
Example Comparison:
Let’s Encrypt may work well for simple websites, but ACM excels for AWS-hosted resources due to its seamless integration and automation.

Benefits and Challenges
Advantages
Ease of Use: No complex certificate management.
Cost-Effective: Free public certificates for AWS services.
Automation: Automatic renewals eliminate operational headaches.
Integration: Perfect for AWS-hosted services like Elastic Load Balancers or CloudFront.

Challenges
AWS Dependency: Certificates are limited to use with AWS resources.
Limited Advanced Features: No support for EV certificates, which some organizations might need for enhanced trust.

Real-World Example: Expedia Group
Challenge: Expedia needed to secure millions of customer transactions while reducing operational complexity.
Solution: By using AWS Certificate Manager with Elastic Load Balancers, Expedia ensures secure HTTPS communication and benefits from ACM’s automatic renewals. This has helped them scale without worrying about certificate management.