DEV Community: Rafil

Three-Tier Architecture Application Deployment

Rafil — Mon, 31 Mar 2025 18:20:07 +0000

1. Download Code From Git Repo

Download the code Repo file from Git-hub and unzip it
Sample :-(https://github.com/aws-samples/aws-three-tier-web-architecture-workshop.git)

git clone https://github.com/Naveen3251/AWS_3Tier.git

2. S3 Bucket Creation

Create a S3 bucket
Block public access for now

3. Create IAM Role

IAM > Roles > create role
Use case -> EC2
Apply these 2 permissions:
1.AmazonSSMManagedInstanceCore
2.AmazonS3ReadOnlyAccess
Give your role a name, and then click Create Role.

4. VPC Creation

VPC > Your VPCs > create VPC
VPC created successfully...

5. Subnet Creation

Create 6 subnets
Note: Remember, your CIDR range for the subnets will be subsets of your VPC CIDR range.
AZ-1
Availability zone-1 => (1-public, 2-private)

AZ-2
Create subnets as created in AZ-1 with different CIDR range.
Availability zone-2 => (1-public, 2-private)

6. Internet Gateway Creation

To give internet access to the public subnets in our VPC, we will have to create and attach an Internet Gateway.
VPC > Internet gateways > Create internet gateway
After internet gateway creation, attach it to your VPC.

Select IGW > Actions > Attach to VPC
Select the correct VPC and click on Attach internet gateway

7. NAT gateway Creation

For our instances in the app layer private subnet to access the internet, they will have to go through a NAT Gateway.
Create two NAT gateway for 2 public subnets on the 2 availability zones
VPC > NAT gateways > Create NAT gateway

Select the correct public subnet in AZ-1
Allocate elastic IP
Click Create NAT gateway.
Follow the same steps for the creation of the second NAT gateway Two NAT gateways in two AZs has been created successfully...

8. Routing Configuration

create one route table for the web layer public subnets.
VPC > Route table > Create route table
Click Create route table.

Scroll down and click on Routes and click on Edit routes
Click on Add route
Select the destination 0.0.0.0/0
In Target section, select Internet Gateway
Then select the created IGW
Then click Save changes
Select Subnet Associations and click Edit subnet associations.
Select the web layer public subnets which has been created
Then click Save associations Create 2 more route tables, one for each app layer private subnet in each availability zone

1.Private route table 1

Scroll down and click on Routes and click on Edit routes
Click on Add route
Select the destination 0.0.0.0/0
In Target section, select Internet Gateway
Then select the created NAT gateway in AZ-1
Then click Save changes
Select Subnet Associations and click Edit subnet associations.
Select the app layer private subnet on AZ-1
Then click Save associations

2. Private route table 2
For creating the Private route table 2, follow the steps performed in the creation of above private subnet route table with their availability zone accordingly.

These route tables will route app layer traffic destined for outside the VPC to the NAT gateway in the respective availability zone, so add the appropriate routes for that.

9. Security groups

1 for database
2 for load balancer
1 for public EC2
1 for private EC2
While creating sg, don't change anything in outbound rules.
1. Security group for internet facing load balancer(internet facing)

The first security group you’ll create is for the public, internet facing load balancer.
After typing a name and description, add an inbound rule to allow HTTP type traffic for your IP. 2.Security group for allowing ELB access to EC2 instances(web tier) In creation of this security group, in inbound rules allow HTTP type traffic for your IP Add rule - Allow 'HTTP' type and select the 'internet facing security group' 3.Security group for Internal load balancer(Internal facing) The third security group will be for our internal load balancer. Create this new security group and add an inbound rule that allows HTTP type traffic from your public instance security group 4.Security group for app tier The fourth security group we’ll configure is for our private instances. Add an inbound rule that will allow TCP type traffic on port 4000 from the internal load balancer security group you created in the previous step 5.Database security group Add an inbound rule that will allow traffic from the private instance security group to the MYSQL/Aurora port (3306)

10. DB subnet group creation

Aurora and RDS > Subnet groups > Create DB subnet group
choose the VPC we created.
While adding subnets, make sure to add the subnets we created in each availability zone for our database layer. Navigate back to the VPC dashboard and check to make sure to select the correct subnet IDs.

11. Database Creation

Start with a Standard create for this MySQL-Compatible Amazon Aurora database. Leave the rest of the defaults in the Engine options as default.

Under the Templates section choose Dev/Test since this isn't being used for production at the moment. Under Settings set a username and password of your choice and note them down since we'll be using password authentication to access our database.

under Availability and durability change the option to create an Aurora Replica or reader node in a different availability zone.
Under Connectivity, select the VPC, choose the subnet group we created earlier, and select no for public access.

12. App Instance Creation

EC2 > Instances > Launch an instance

Finally click "Launch Instance"

Connect Instance

click the connect button on the top right corner of the dashboard. Select the Session Manager tab and click connect.

Switch to ec2-user by executing the following command in the browser terminal:

 sudo -su ec2-user

2.If your network is configured correctly up till this point, you should be able to ping the google DNS servers:

 ping 8.8.8.8

Configure Database

Start by downloading the MySQL CLI:

 sudo yum install mysql -y

Initiate your DB connection with your Aurora RDS writer endpoint. Execute the following command in the browser after changing to your RDS end point and to your user name:

 mysql -h CHANGE-TO-YOUR-RDS-ENDPOINT -u CHANGE-TO-USER-NAME -p

Create a database called webappdb in MYSQL CLI:

 CREATE DATABASE webappdb;

4.Create a data table by first navigating to the database we created:

USE webappdb;

5.create the following transactions table by executing this create table command:

 CREATE TABLE IF NOT EXISTS transactions(id INT NOT NULL
 AUTO_INCREMENT, amount DECIMAL(10,2), description
 VARCHAR(100), PRIMARY KEY(id));

6.Insert data into table:

 INSERT INTO transactions (amount, description) VALUES ('400','groceries');

7.View the data inserted in table:

 SELECT * FROM transactions;

8.When finished, just type exit and hit enter to exit the MySQL client.

Configure App Instance

1.The first thing we will do is update our database credentials for the app tier. To do this, open the application-code/app-tier/DbConfig.js file
2.Fill this in with the credentials you configured for your database, the writer endpoint of your database as the hostname, and webappdb for the database. Save the file.

Upload the app-tier folder to the S3 bucket 4.Go to your SSM session. Start by installing NVM (node version manager)

 curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
 source ~/.bashrc

install Node.js and make sure it's being used.

 nvm install 16
 nvm use 16

6.Install PM2. PM2 is a daemon process manager that will keep our node.js app running when we exit the instance.

 npm install -g pm2

7.Now we need to download our code from our s3 buckets onto our instance. Perform the following command with proper changes in bucket name.

 cd ~/
 aws s3 cp s3://BUCKET_NAME/app-tier/ app-tier --recursive

8.Navigate to the app directory, install dependencies, and start the app with pm2.

 cd ~/app-tier
 npm install
 pm2 start index.js

Run the following to make sure the app is running correctly

 pm2 list

To look at the latest errors, use this command:

 pm2 logs

9.Right now, pm2 is just making sure our app stays running when we leave the SSM session. This is also important for the AMI we will create:

 pm2 startup

After you run it, save the current list of node processes with the following command:

 pm2 save

Test App Tier

1.To hit out health check endpoint, run this command into your SSM terminal.

 curl http://localhost:4000/health

2.Next, test your database connection. You can do that by hitting the following endpoint locally:

 curl http://localhost:4000/transaction

Your app layer is fully configured and ready to go.

App Tier AMI

Select the app tier instance and click Actions, select Image and templates. Click Create Image.

Target Group

EC2 > Load Balancing > Target Groups > Create Target Group
Navigate to Target Groups. Click on Create Target Group.

Internal Load Balancer

EC2 > Load Balancing > Load Balancers > Create load balancer

click Create Load Balancer
We'll be using an Application Load Balancer for our HTTP traffic so click the create button for that option.
After giving the load balancer a name, be sure to select internal -Select the correct network configuration for VPC and private subnets.
Select the security group we created for this internal ALB. Now, this ALB will be listening for HTTP traffic on port 80. ##Launch Template EC2 > Instances > Launch Template > Create Launch Template
Click Create Launch Template.
Under Application and OS Images include the app tier AMI you created.
Under Instance Type select t2.micro. For Key pair and Network Settings don't include it in the template.
under Advanced details use the same IAM instance profile we have been using for our EC2 instances.

Auto Scaling

EC2 > Auto Scaling > Auto Scaling Groups > Create Auto Scaling Group

select the Launch Template we just created and click next.

After the above step Click next, next finally click Create Auto Scaling group

Updation of Config File

Open up the application-code/nginx.conf file.
Scroll down to line 58 and replace [INTERNAL-LOADBALANCER-DNS] with your internal load balancer’s DNS entry.
Then, upload this file and the application-code/web-tier folder to the s3 bucket you created for this lab. ##Web Instance Deployment EC2 > Instances > Launch an Instance
Select the first Amazon Linux 2 AMI.
We'll be using the free tier eligible t2.micro instance type.
When configuring the instance details, make sure to select to correct Network, subnet, and IAM role we created.
We are using already created VPC and Public Subnet AZ-1 and Enable auto assign Public IP
We are using already created web tier security group
We are using already created IAM role
Finally click "Launch Instance" ##Connect to Instance click the connect button on the top right corner of the EC2 dashboard. Select the Session Manager tab and click connect.
Switch to ec2-user by executing the following command in the browser terminal:

 sudo -su ec2-user

2.If your network is configured correctly up till this point, you should be able to ping the google DNS servers:

 ping 8.8.8.8

Configure Web Instance

1.We now need to install all of the necessary components needed to run our front-end application. Again, start by installing NVM and node

 curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
 source ~/.bashrc
 nvm install 16
 nvm use 16

2.Now we need to download our web tier code from our s3 bucket:

 cd ~/
 aws s3 cp s3://rafil3tierwebappbucket1/web-tier/ web-tier --recursive

3.Navigate to the web-layer folder and create the build folder for the react app so we can serve our code:

 cd ~/web-tier
 npm install 
 npm run build

4.NGINX can be used for different use cases like load balancing, content caching. But we will be using it as a web server that we will configure to serve our application on port 80, as well as help direct our API calls to the internal load balancer.

 sudo amazon-linux-extras install nginx1 -y

5.We will now have to configure NGINX. Navigate to the Nginx configuration file with the following commands and list the files in the directory

 cd /etc/nginx
 ls

6.You should see an nginx.conf file. We’re going to delete this file and use the one we uploaded to s3.

 sudo rm nginx.conf
 sudo aws s3 cp s3://BUCKET_NAME/nginx.conf .

7.Restart Nginx with the following command:

 sudo service nginx restart

8.To make sure Nginx has permission to access our files execute this command:

 chmod -R 755 /home/ec2-user

9.Then to make sure the service starts on boot, run this command:

 sudo chkconfig nginx on

Web Tier AMI

Select the web tier instance and click Actions, select Image and templates. Click Create Image.

Target Group

EC2 > Load Balancing > Target Groups > Create Target Group

Internet Facing Load Balancer

EC2 > Load Balancing > Load Balancers > Create load balancer

click Create Load Balancer
We'll be using an Application Load Balancer for our HTTP traffic so click the create button for that option.
After giving the load balancer a name, be sure to select Internet facing -Select the correct network configuration for VPC and private subnets.
Select the security group we created for this internet facing ALB. Now, this ALB will be listening for HTTP traffic on port 80. ##Launch Template
Click Create Launch Template.
Under Application and OS Images include the web tier AMI you created.
Under Instance Type select t2.micro. For Key pair and Network Settings don't include it in the template.
under Advanced details use the same IAM instance profile we have been using for our EC2 instances. ##Auto Scaling EC2 > Auto Scaling > Auto Scaling Groups > Create Auto Scaling Group
select the Launch Template we just created and click next. After the above step Click next, next finally click Create Auto Scaling group

Finally we get our "webapp"

Website Building & Hosting

Rafil — Mon, 31 Mar 2025 18:12:45 +0000

VPC Creation

VPC > Your VPCs > create VPC

Select VPC and more

In the NAT gateways section, select 1 per AZ.
Click Create VPC.

Security Groups

1.Security group for internet facing load balancer

Click Create security group
In the Inbound rules section click Add rule and Type: "HTTP", Protocol: "TCP", Port Range: "80" & Source: "Anywhere-IPv4". 2.Security group for Web Server
Click Create security group
In the Inbound rules section click Add rule and Type: "HTTP", Protocol: "TCP", Port Range: "80" & Source: "Custom" and also select the load balancer security group

Access Management(IAM)

Create a new IAM role and associate it with the EC2 instance profile for the web server. IAM >Roles > Create role
Select Roles, click Create role. Select AWS Service. Choose EC2 for the service or use case.
Select EC2 Role for AWS Systems Manager and click Next Confirm that the AmazonSSMManagedInstanceCore policy has been added. Name the role and click Create role.

Instance Creation

EC2 > Instances > Launch an instance
Name the server
Select the t2.micro instance type

!/bin/bash
yum update -y
Install Session Manager agent
yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
systemctl enable amazon-ssm-agent
Install and start the php web server
dnf install -y httpd wget php-json php
chkconfig httpd on
systemctl start httpd
systemctl enable httpd

Install AWS SDK for PHP
wget https://docs.aws.amazon.com/aws-sdk-php/v3/download/aws.zip
unzip aws.zip -d /var/www/html/sdk
rm aws.zip

Install the web pages for our lab
if [ ! -f /var/www/html/index.html ]; then
rm index.html
fi
cd /var/www/html
wget https://ws-assets-prod-iad-r-iad-ed304a55c2ca1aee.s3.us-east-1.amazonaws.com/2aa53d6e-6814-4705-ba90-04dfa93fc4a3/index.php

Update existing packages
dnf update -y

SSM

Ensure the web server instance is still selected and click Connect.
Select the Session Manager tab and click Connect.

Load Balancing

EC2 > Load Balancing > Load Balancers > Create load balancer

click Create Load Balancer
We'll be using an Application Load Balancer for our HTTP traffic so click the create button for that option.
After giving the load balancer a name, be sure to select Internet facing
Select the correct network configuration for VPC and private subnets.
Select the security group we created for this internet facing ALB. Now, this ALB will be listening for HTTP traffic on port 80. Create a Target group

Testing

Copy the DNS name from the Load Balancer page and paste it into a new browser tab.
Please open new tab, type http:// and the paste copied DNS name.

S3 Bucket Creation

Click Create Bucket
Give the S3 bucket a fun and unique name
Next, let's upload some files to the bucket
Use the S3 console to upload the files you downloaded. Click Add files and select all the unarchived files.
Switch back to the website and enter the bucket name and region in the provided fields.

Uploading objects into S3 bucket using EC2(PuTTY) + IAM + S3

Rafil — Fri, 24 Jan 2025 02:42:26 +0000

1.Launch an Instance

Open EC2
Open "Launch Instances"
Select a server name
Select an AMI (Amazon Linux)
Select Instance type (t2.micro)
Create new Key pair
Then, select "Launch Instance"

Instance created Successfully !

2. PuTTY Installation

Install PuTTY in the system, if not already installed...

3. Whitewash IP address

Check the public IP of your device in online website like "(https://whatismyip.com/)"

4. Change Security Group Rules

After getting your device 'IP' change the inbound rules of the security group by following the below mentioned steps:

Select the "Security" to change the security group
Then, select the 'security group' and change the 'inbound rules'
*security-> security-group -> Edit inbound rules *
In the 'Edit inbound rules' sections, change the type: 'SSH' , Source: 'Custom' and then put the public IP of your device
Click on 'Save changes'

5. PuTTYgen Key Configuration

Open 'PuTTYgen'
Select 'Load'
Then select the created 'pem key' to convert it into a 'private key'
Click 'Save private key'
Then save it in the system...

6. IAM Role Creation

Open IAM
IAM -> Roles -> Create role

IAM role created successfully !

7. Modify IAM role for the instance

Select the instance
Actions -> Security -> modify IAM role -> Update IAM role

8. PuTTY configuration

Copy the created EC2 instance's public ip address
Open 'PuTTY' In the PuTTY configuration:
In the 'Host Name or ( IP address)' column paste the ip address of the EC2 instance
Then in the side bar, select '+' that's before 'SSH' and then select the '+' before 'Auth'.
After that, click on 'Credentials' and browse the private key from your device.
Then click 'Open'

Category- + SSH -> + Auth -> Credentials -> Browse private key -> Open

9. Linux CLI Operations

Now, Linux command line will be opened...
Login as 'ec2-user'

Then run the following commands:
aws aws s3 ls
Then create a text file using 'echo' command
Example : echo "this is a text file" > details.txt
At last, run the following command to upload the text file into the s3 bucket
aws s3 cp file-name s3://bucket-name/

Now go to amazon S3 and click on bucket to check whether the object is uploaded or not.

10. Terminate the instance and delete the bucket

AWS CloudTrail

Rafil — Thu, 23 Jan 2025 03:30:31 +0000

1. Service Overview

AWS - CloudTrail

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational & risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

2. Key Features

Tracks All Activities: Records every API call and user action in your AWS account.
Multi-Region Support: Monitors activities across all AWS regions.
Security and Integrity: Ensures logs are tamper-proof and can be encrypted.
Real-Time Alerts: Integrates with CloudWatch to send alerts for unusual activity.
Change Monitoring: Helps track resource changes and detect potential issues.
Reliable Storage: Stores logs securely with Amazon S3's high durability.

3. Use cases

AWS CloudTrail tracks user activities and API calls, helping to identify unauthorized access or suspicious behavior. The service also plays a key role in troubleshooting operational issues and monitoring changes to resources, such as security group updates or instance launches. With its detailed logs, CloudTrail facilitates forensic analysis during security incidents and ensures better visibility across multiple AWS accounts through centralized logging.

4. Pricing model

Management Events: Free for the last 90 days; additional storage incurs S3 charges.
Data Events: $0.10 per 100,000 events for S3 and Lambda logging.
Insights Events: $0.35 per 100,000 events for anomaly detection.
Log Delivery: Charges apply for S3 storage and CloudWatch Logs if used.
Free Tier: One free trail per region for management events.

5. Comparison with other similar services

Azure Monitor: Tracks activity in Azure but lacks AWS-specific API tracking like CloudTrail.
Google Cloud Audit Logs: Similar to CloudTrail but focused on Google Cloud resources.
IBM Cloud Activity Tracker: Tracks user activity on IBM Cloud, but less AWS-specific integration.
Datadog Cloud Security Monitoring: Focuses on real-time monitoring and security, not detailed activity logs like CloudTrail.
Sumo Logic Cloud SIEM: Provides event correlation for security but lacks AWS-specific activity tracking.

6. Benefits and Challenges

Benefits:

Improved Security
Compliance Support
Operational Insights
Change Tracking
Cost-Effective

Challenges:

Storage Costs
Log Management
Complex Setup for Multi-Account
Data Retention Complexity
Potential Performance Impact

7. Real - world Example

Security Breach Investigation: A financial institution identified unauthorized access to sensitive data using CloudTrail logs. They tracked the source of the breach, revoked compromised credentials, and implemented stricter IAM policies.
Compliance Monitoring: A healthcare company used CloudTrail to meet HIPAA compliance by logging all API calls and user activities, ensuring transparency and audit readiness.
Troubleshooting Errors: An e-commerce platform experienced application downtime. By analyzing CloudTrail logs, they identified a misconfigured security group and quickly resolved the issue.
Cost Optimization: A startup identified unused EC2 instances by reviewing CloudTrail activity logs, helping them reduce unnecessary costs.
Multi-Account Logging: A multinational corporation used CloudTrail to centralize logs from multiple AWS accounts, improving visibility and simplifying audits for their global operations.