DEV Community: Israel .O. Ayanda

Hands-on: AWS Elastic Load Balancer

Israel .O. Ayanda — Fri, 07 Jul 2023 17:25:28 +0000

Following up from the previous article, let's dive into configuring a Application Load Balancer in AWS.

For this tutorial, we will use two web servers (using EC2 instances) and we will configure them to use a single endpoint, which is the Application load balancer.

Pre-requisite
AWS account
Some knowledge of EC2 instance.

Number of instance = 2
OS image = ubuntu
AMI = Ubuntu Server 20.04 LTS
Instance type = t2.micro
Key pair = select your key
Security groups = Allow SSH traffic

Select Advanced details and scroll down to user data and paste the follow script.

#!/bin/bash
sudo apt update
sudo apt install nginx wget unzip -y
wget https://www.tooplate.com/zip-templates/2133_moso_interior.zip
unzip 2133_moso_interior.zip
sudo mv 2133_moso_interior/* /var/www/html
sudo rm -rf 2*

This script simply bootstrap the instances at startup. It updates the ubuntu package, installs three dependencies nginx server to server the website, wget to download a simple static website template, unzips the folder, copies the files to the default folder Nginx servers content from and finally deletes the folders and file from the home directory.

click on Lunch instance.

On the EC2 instance page, enter names for the two instance name, Web01 and Web02, or any name of your choice.

Next, To access the website, port 80 have to be allowed. Select the Security group in use for the instances and allow port 80 for inbound rules.

The default port for HTTP traffic on Nginx server is port 80

Enter the port and click on save rules.

Now, you should be able to view the website in the browser using the public IP address on both instances.

We are not done yet, next, we would configure the target group.

Target Groups
Target Groups are group of instances with health checks configured. Health checks, when configured enables the ELB to route traffic to only the healthy instances

On the EC2 dashboard, scroll down on the left menu and select target groups.

Choose a target type = instances
Enter a name
Protocol = HTTP
port = 80
Health Checks
Health check protocol = HTTP
Health check path is used to check if the website is healthy ( available) or not. For our application, path it is

/

leave the default settings and click next.

Registered targets
Next, We will register the EC2 instances (in the case two, but it can be more ) for this target group. This implies that all healthy instances (or web servers) in this target group would receive equal or close to equal loads/web traffic, ensuring higher availability, scalability, and reliability of your application.
select the two instances and click on Include as pending below

Review and click on Create target group

Finally, we need to associate the target group a Load balancer.

Select the target group
Click on Actions and select Associate with new load balancer

Load balancer name = Enter your desired name
Scheme = Internet-facing
IP address type = IPv4
VPC = Same VPC used for the EC2 instances
Mappings = Select 2 more Availability Zones for the application
Security groups = Create another one, allow port 80 and add the security group for the ec2 instances and select it.

Listeners and routing
Protocol = HTTP
Port = 80
Default action = select the target group you created

Click on create Load balancer.
Wait for some minutes for the Load balancer state to change from provisioning to Active.

View in Browser

Click on the load balancer
Copy the DNS into the browser.

This serves as the single external endpoint of access for the two web servers. Also ensure that the security group for the EC2 instances only allows port 22 for SSH or AWS session manager for private access to your instances, this ensure that ec2 instances are not accessible to the public directly but only through the Application Load Balancer. This create layers for security for your application.

As always, I look forward to getting your thoughts on this article. Please feel free to leave a comment!

AWS Elastic Load Balancer

Israel .O. Ayanda — Fri, 07 Jul 2023 10:32:10 +0000

As it name implies, it's a single point of contact for clients that stabilize or equalize user traffic accessing a service. It ensures delivery of traffic to only healthy targets by monitoring target groups, using health checks configuration. It is simple to integrate with other AWS services to increase the security architecture of your Application, for example, by allowing or blocking requests based on the rules you set in Web ACL using AWS WAF, more on that later.

Here is how AWS defines ELB

Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets. You can select the type of load balancer that best suits your needs.

Types of Elastic Load Balancers

Application Load Balancer
Network Load Balancer
Gateway Load Balancer
Classic Load Balancer

Next, Hands-on using Application Load Balancer

Bash Script: SonarQube and Postgres database Setup for Code Analysis.

Israel .O. Ayanda — Fri, 19 May 2023 14:09:55 +0000

Here is a simple script to provision SonarQube and Postgres database on a ec2 instance for code analysis to streamline a DevOps process.

Create and open a file - and paste the code snippet below. Make sure to change the database password.

#!/bin/bash
sudo cp /etc/sysctl.conf /root/sysctl.conf_backup

# Modify Kernel System Limits for Sonarqube
    sudo sh -c 'cat <<EOF> /etc/sysctl.conf
    vm.max_map_count=262144
    fs.file-max=65536
    ulimit -n 65536
    ulimit -u 4096
EOF'
    sudo apt update -y
    sudo apt-get install openjdk-11-jdk -y

# Postgres Database installation and setup
    wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -

    sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'
    sudo apt install postgresql postgresql-contrib -y

    sudo systemctl enable postgresql.service
    sudo systemctl start  postgresql.service
    sudo echo "postgres:admin123" | sudo chpasswd
    sudo runuser -l postgres -c "createuser sonar"
    sudo -i -u postgres psql -c "ALTER USER sonar WITH ENCRYPTED PASSWORD 'admin123';"
    sudo -i -u postgres psql -c "CREATE DATABASE sonarqube OWNER sonar;"
    sudo -i -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonar;"
    sudo systemctl restart  postgresql

# Sonarqube installation and setup
    sudo mkdir /sonarqube/
    cd /sonarqube/
    sudo curl -O https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.3.0.34182.zip
    sudo apt-get install zip -y
    sudo unzip -o sonarqube-8.3.0.34182.zip -d /opt/
    sudo mv /opt/sonarqube-8.3.0.34182/ /opt/sonarqube
    sudo groupadd sonar
    sudo useradd -c "SonarQube - User" -d /opt/sonarqube/ -g sonar sonar

    sudo cp /opt/sonarqube/conf/sonar.properties /root/sonar.properties_backup
    sudo chown sonar:sonar /opt/sonarqube/ -R
    sudo sh -c 'cat <<EOF> /opt/sonarqube/conf/sonar.properties
    sonar.jdbc.username=sonar
    sonar.jdbc.password=admin123
    sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
    sonar.web.host=0.0.0.0
    sonar.web.port=9000
    sonar.web.javaAdditionalOpts=-server
    sonar.search.javaOpts=-Xmx512m -Xms512m -XX:+HeapDumpOnOutOfMemoryError
    sonar.log.level=INFO
    sonar.path.logs=logs
EOF'
# Setup Systemd service for Sonarqube
    sudo sh -c 'cat <<EOF> /etc/systemd/system/sonarqube.service
    [Unit]
    Description=SonarQube service
    After=syslog.target network.target

    [Service]
    Type=forking

    ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
    ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop

    User=sonar
    Group=sonar
    Restart=always

    LimitNOFILE=65536
    LimitNPROC=4096

    [Install]
    WantedBy=multi-user.target
EOF'
# Enable and restart service
    sudo systemctl daemon-reload
    sudo systemctl enable sonarqube.service
    sudo systemctl start sonarqube.service
    sudo reboot

Give execute permission

chmod +x sonarqube_setup.sh

Run script

./sonarqube_setup.sh

After the script is completed, the instance takes couple of seconds to reboot. Verify the instance is ready by logging into the instance.

Make sure to open port 9000 to your IP address or Anywhere IP 0.0.0.0/0, depending on your internet setup in your security group.

Verify in the browser

As always, I look forward to getting your thoughts on this article. Please feel free to leave a comment!

Hands-on: Deploy Java Web Application on Kubernetes Cluster on AWS.

Israel .O. Ayanda — Wed, 15 Mar 2023 09:14:21 +0000

In this article explains how you can deploy a containerized java web application into a Kubernetes cluster. This is helpful when your system architecture needs to be high-availability, fault tolerance, easily scalable, portable and platform independent.

In this setup, I have used KOps to deploy the k8s cluster on AWS. However, other alternatives includes AWS EKS a managed service on AWS. I wrote a simple script to provision k8s cluster on AWS EkS using the eksctl tool.

The web application deployed in this tutorial uses docker images. I have containerized the java application as well as the database and are publicly available on my docker registry. I have also used official docker images for RabbitMQ (as the message broker) and Memcached( to speed up the database by reducing the amount of reads on the database.) and finally used AWS route53 as DNS.

Click below list to view the docker images

Prerequisites

Let's Begin!!!

You should skip this step if you are using another cluster setup. This step only starts the cluster and not the cluster setup.

Spin up KOps Cluster in the terminal

Create cluster

kops create cluster --name=kube.oayanda.com --state=s3://oayanda-kops-state --zones=us-east-1a,us-east-1b --node-count=2 --node-size=t3.small --master-size=t3.medium --dns-zone=kube.oayanda.com

Update cluster

 kops update cluster --name kube.oayanda.com --state=s3://oayanda-kops-state --yes --admin

Validate cluster

kops validate cluster  --state=s3://oayanda-kops-state

Create Persistent EBS volume for DB pod. Copy the volume ID for later use. vol-023c6c76a8a8b98ce and the AZ us-east-1a.

Copy the following code snippet into your terminal.

aws ec2 create-volume --availability-zone=us-east-1a --size=5 --volume-type=gp2 --tag-specifications 'ResourceType=volume,Tags=[{Key=KubernetesCluster,Value=kube.oayanda.com}]'

Note: For volume mapping, make sure the value of the tag is the same as your kubernetes cluster.

Verify from AWS console

Verify which node is located in us-east-1a, which is where the volume was created.


# Get available Nodes
k get nodes

# Get more details about a node using the name
k describe node <name>

Note: You can create an alias for kubectl in your terminal. alias k=kubectl

Create custom labels for nodes

# Create label for node
k label nodes i-033bf8399b48c258e zone=us-east-1a

# Verify label creation
k get node i-033bf8399b48c258e --show-labels

Writing definition Files

Secret definition File
The secret object help to keep sensitive data like password. However, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd. Read more from official documentation

Encode for the application and RabbitMQ passwords with base64.

echo -n "<password>" | base64

Create a file app-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: app-secret
type: Opaque
data:
  db-pass: cGFzcw==
  rmq-pass: Z3Vlc3Q=

# create secret object
k create -f app-secret.yaml

# Show secret
k get secret

Note: for production, the secret definition file should not be public because it might be decoded.

Database definition File
For this file, you need the volume ID you created earlier and the zone the volume was created.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: vprodb
  labels:
    app: vprodb
spec:
  selector:
    matchLabels:
      app: vprodb
  replicas: 1
  template:
    metadata:
      labels:
        app: vprodb
    spec:
      containers:
        - name: vprodb
          image: oayanda/vprofiledb:v1
          args:
            - "--ignore-db-dir=lost+found"
          volumeMounts:
            - mountPath: /var/lib/mysql
              name: vpro-db-data
          ports:
            - name: vprodb-port
              containerPort: 3306
          env:
            - name: MYSQL_ROOT_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: app-secret
                  key: db-pass
      nodeSelector:
        zone: us-east-1a
      volumes:
        - name: vpro-db-data
          awsElasticBlockStore:
            volumeID: vol-023c6c76a8a8b98ce
            fsType: ext4

Create DB deployment

k create -f vprodbdep.yaml
k get pod

Verify volume is attached to pod

k describe pod pod vprodb-58b465f7f-zfth7

DB Service Definition

This will only be exposed internally to application and not to the public.

Create definition file db-cip.yaml

apiVersion: v1
kind: Service
metadata:
  name: vprodb 
spec:
  ports:
    - port: 3306
      targetPort: vprodb-port
      protocol: TCP
  selector:
    app: vprodb
  type: ClusterI

Memcached deployment Definition

This will use the official docker image from docker hub.

Create definition file mcdep.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: vpromc
  labels:
    app: vpromc
spec:
  selector:
    matchLabels:
      app: vpromc
  replicas: 1
  template:
    metadata:
      labels:
        app: vpromc
    spec:
      containers:
        - name: vpromc
          image: memcached
          ports:
            - name: vpromc-port
              containerPort: 11211

Memcached Service Definition

This will only be exposed internally to application and not to the public as well.

Create definition file mc-cip.yaml

apiVersion: v1
kind: Service
metadata:
  name: vprocache01
spec:
  ports:
    - port: 11211
      targetPort: vpromc-port
      protocol: TCP
  selector:
    app: vpromc
  type: ClusterIP

RabbitMQ Deployment Definition

This will also use the official docker image from docker hub.

Create definition file mcdep.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: vpromq01
  labels:
    app: vpromq01
spec:
  selector:
    matchLabels:
      app: vpromq01
  replicas: 1
  template:
    metadata:
      labels:
        app: vpromq01
    spec:
      containers:
        - name: vpromq01
          image: rabbitmq
          ports:
            - name: vpromq01-port
              containerPort: 15672
          env:
            - name: RABBIT_DEFAULT_PASS
              valueFrom:
                secretKeyRef:
                  name: app-secret
                  key: rmq-pass
            - name: RABBIT_DEFAULT_USER
              value: "guest"

Rabbitmq Service Definition

This will only be exposed internally to application using the Cluster IP type.

Create definition file mc-cip.yaml

apiVersion: v1
kind: Service
metadata:
  name: vprormq01
spec:
  ports:
    - port: 15672
      targetPort: vpromq01-port
      protocol: TCP
  selector:
    app: vpromq01
  type: ClusterIP

Java Application Deployment
I have used two inicontainers which are temporary containers which are dependencies for the Java application. Their job is to make sure the database and memcache container service are ready before the Java application container starts.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: vproapp
  labels:
    app: vproapp
spec:
  selector:
    matchLabels:
      app: vproapp
  replicas: 1
  template:
    metadata:
      labels:
        app: vproapp
    spec:
      containers:
        - name: vproapp
          image: oayanda/vprofileapp:v1
          ports:
            - name: vproapp-port
              containerPort: 8080
      initContainers:
        - name: init-mydb
          image: busybox:1.28
          command: ['sh', '-c','until nslookup vprodb; do echo waiting for mydb; sleep 2; done;']
        - name: init-memcache
          image: busybox:1.28
          command: ['sh', '-c','until nslookup vprocache01; do echo waiting for memcache ; sleep 2; done;']

Create Service Load balancer for Java application

apiVersion: v1
kind: Service
metadata:
  name: vproapp-service
spec:
  ports:
    - port: 80
      targetPort: vproapp-port
      protocol: TCP
  selector:
    app: vproapp
  type: LoadBalancer

Now, let's deploy all the other definition files

k apply -f .

Verify deployment and service are created and working

k get deploy,pod,svc

Note: It might sometime for all objects to created including the Load balancer.

Copy the Load balancer URL and view in browser

Host on Rout53
Step 1
If you are using an external registrar (for example, GoDaddy).

Create a Hosted Zone in Route53
Copy the NS records and update it on your external registrar. Step 2

In the Hosted zone on Rout53
Click create record

Enter a name for your application
Click on the Alias radio button
Under the Route traffic to, select Alias to Application and Classic load balancer
Select the region your application is deployed
Select the Load balancer
Click Create records > This will take some seconds for propagation.

View in the browser

Clean Up

# Delete all objects
k delete -f .

Congratulations! you have successfully deploy a java web application on Kubernetes Cluster.

Project Source

You can Clone the project files from my Github

As always, I look forward to getting your thoughts on this article. Please feel free to leave a comment!

How to: Deploy a Java Web App on AWS Elastic Beanstalk

Israel .O. Ayanda — Mon, 27 Feb 2023 15:58:02 +0000

Prerequisite

AWS account
Have a VPC (or you may also use the default VPC)
Have maven and JDK8 installed
AWS account
Have a signed certificate (SSL from Certificate Manager)
You have a domain name

Lets Begin!

1. Create Key Pairs for Beanstalk instance
Incase of troubleshooting, we need provide a secure way of accessing the EC2 instances.

Login into your AWS account.
Type Key pair in the AWS search bar
Click create key pair
Enter Name, Type and Format
Click create key pair

2. Create Security group (SG)
Next, create security group for the backend services (RDS MySQL, Amazon MQ and ElastiCache/memcahed ). All services need to be able to communicate between each other. This means we All traffic should route to itself. To do this, you need to add dummy inbound rule, save it and then click on edit, delete it, and then add All traffic and destination would be the name of the security group.

Type Security groups in the AW search bar
Click on create security group
Enter a Name and add a inbound rule and click create security group

Click on edit inbound rules again, this time, delete it and click on add rule
Select All traffic and select the SG you just created as the destination.
Click on save rules

3. Create Backend Services

RDS MySQL Database

As usual, type RDS in the AWS Search bar
Select subnet groups
Select create DB subnet group
Enter Name, select the your VPC and select two AZs as shown in the diagram below
Select subnets and click create

Next, still on this same page, click Parameter groups and click create parameter group. This is useful, if some parameter for the database needs some level of customization.

Enter the following values below

Parameter family: Mysql5.7
Type: DB parameter group
Group name: rds-parameter-gp
Description: rds parameter group
Click on create

Next, still on the same page, click Databases and click create database

Standard create
Engine Options: MySQL
Engine version: 5.7.*
Template: Dev/Test (or Free tier for low cost)
DB instance identifier: rds-mysql-database
master username: admin
Select Auto generate a password
DB instance class: Burstable classes:db.t3.micro
Allocated storage: 20GB
Select VPC
Select your DB subnet group
Public access: NO
VPC security group: vprofile_backend_service SG
Additional configuration - enter database name: accounts
Click Create Database

Click on view credentials to copy your password.

Amazon Elastic Cache
Like RDS, you need to create parameter group and subnet groups.
For parameter group, enter a name and select 1.4 for family_, enter a description and click create.

For Subnet group, enter a Name, VPC and leave the default settings and click create.

Next, Click Memcached clusters and click create Memcached clusters

Location: AWS CLoud
Name: vprofile-memcached-cluster
Engine version: 1.4.5
Parameter groups: vprofile_memcached-pg
Node type: cache.2t.micro
Subnet group:vprofile_memcached-sg **_ and click next
select manage under security group, select backend_service sg, click next to review
Click create

Create Amazon MQ

Broker engine: RabbitMQ
Deployment mode: single-instance
Enter Name: app-rmq
Broker instance type: t3 micro
Enter username and password
Under additional settings, select private access below network
Select the default VPC and the security group we created from the dropdown.
Enter and click next to review settings
Click create broker

4. Login into the instance and initialize RDS DB
At this point, you add the database accounts schema to RDS MYSQL. To do this lunch a temporary EC2 instance to initialize the database with the database schema.

Lunch a EC2 instance

Enter instance name
AMI : ubuntu 20 / free tier
Instance type: t2.micro
Select your key pair
Create Security group: Name: mysql-client-sg: Allow SSH to MyIP ( in some cases you might need to use 0.0.0.0/0 instead)
Add User data

#!/bin/bash
# update ubuntu OS and install MySQL client at startup
sudo apt update
sudo apt install mysql-client -y

Click lunch instance

Update backend security group (backend services) to allow MySQL traffic from the security group of the instance.

Next, copy the Endpoint of RDS MYSQL database for _accounts _ which is the hostname, you will need this to connect to RDS MYSQL and also to update the connection to the application.

SSH into the instance and Connect to RDS MYSQL

Clone the application repo Here

# Make sure git is installed and clone repo
git clone https://github.com/devopshydclub/vprofile-project

# navigate to **_src/main/resource_**

mysql -h <Replace RDS Endpoint> -u admin 
-p<Replace RDS DATABASE PASSWORD> accounts < db_schema.sql

# Show all database 
show databases;

# Use databases accounts
use accounts;

# Show the tables in the database accounts
show tables;

Copy the endpoint for Amazon MQ

Copy the endpoint for Memcached Cluster

Update web application with backend connection credentials. Navigate to src/main/resource in the repo and open application.properties with the editor of your choice.

# update the file with the endpoints, username, and password
vi application.properties

Build Artifact with Backend information using Maven on your local machine.
Make sure you are in the top level of the folder where the pom.xml is located.

5. Configure Beanstalk

Click Configuration
Edit Instances, add EC2 Security Group : Backend service SG and continue.
Edit Capacity, Environment type: Load balancer Instances: Min:2 and Max:4 Placement: us-east-1a and us-east-1b Click on continue.
Edit Load Balancer Listeners: add lister 443 for HTTPS and select SSL certificate as shown in the diagram below and click
Processes: click on action to edit the default process Scroll down to Health check and add /login as the endpoint and click save. -Click continue
Rolling updates and deployments Deployment policy: Rolling Percentage : 50% and click on continue.
Security: select key pair and Create instance profile and click Continue.

The simple application created earlier enable beanstalk to create the instance profile for us.

You should also add an email for notification.
Click on apply all changes and confirm

After the changes are applied the Health would be serve as shown in the diagram below. This is because of the endpoint /login we added, however the current application does not have this endpoint but our application does.

Deploy the Application

Click on Upload and deploy
Click choose file : Select the build vprofile-v2.war file from your machine. (located in the targets folder)
Enter Labal version: v2

Next, Update backend security group

Add rabbit MQ, elasticache and RDS MYSQL ports - 3306, 11211 and 5671 to Security Group created by beanstalk.

Note, Elastic beanstalk would create two SGs, check the names and make sure you are not pointing to the Load balancer SG

Update Entry in Route 53 Hosted Zone

Test The URL

Username: Admin_vp
Password: Admin_vp

Note: Incase you face any issues while uploading your artifact, disable your anti-virus software and try the upload again.

Source: visualpath

As always, I look forward to getting your thoughts on this article. Please feel free to leave a comment!

Bash Script : How to Create a k8s Cluster on AWS EKS using eksctl.

Israel .O. Ayanda — Sun, 19 Feb 2023 20:27:25 +0000

This article is a simple shell script tutorial about automating your kubernetes cluster setup on Amazon Elastic Kubernetes Service (EKS).

AWS EKS: Amazon Elastic Kubernetes Service (EKS) is a managed service and certified Kubernetes conformant to run Kubernetes on AWS and on-premises.

Eksctl: is a simple CLI tool for creating and managing clusters on EKS - Amazon's managed Kubernetes service for EC2.

Prerequisite

Kubectl is installed
eksctl is installed
AWS CLI version 2 is installed
AWS account
IAM role with EKS permission.
Have a Key Pair on AWS

Create an access key for your IAM user

Login into your AWS account
Go to IAM dashboard
Select Users and click on your IAM user name
Click on Security Credential Tab
Scroll down to Access keys and Click on Create access key
Select Command Line Interface (CLI), agree with recommendation click Next and follow the prompts.

Configure AWS CLI

# In your CLI, configure AWS cli with your access keys
aws configure

Create a file with permission

# Create file
vi scriptfile.sh

# Make execute permission
chmod +x scriptfile.sh

Copy and paste the code snippet below. Change the variables to your preferred names and values. Also change the values under the Creation of EKS cluster to preferred cluster requirements.

# Variables
CLUSTER_NAME=my-cluster
REGION=us-east-1
NODE_NAME=Linux-nodes
KEY_NAME=instance

# Set AWS credentials before script execution

aws sts get-caller-identity >> /dev/null
if [ $? -eq 0 ]
then
  echo "Credentials tested, proceeding with the cluster creation."

  # Creation of EKS cluster
  eksctl create cluster \
  --name $CLUSTER_NAME \
  --version 1.22 \
  --region $REGION \
  --nodegroup-name $NODE_NAME \
  --nodes 2 \
  --nodes-min 1 \
  --nodes-max 4 \
  --node-type t3.micro \
  --node-volume-size 8 \
  --ssh-access \
  --ssh-public-key $KEY_NAME \
  --managed

  if [ $? -eq 0 ]
  then
    echo "Cluster Setup Completed with eksctl command."
  else
    echo "Cluster Setup Failed while running eksctl command."
  fi
else
  echo "Please run aws configure & set right credentials."
  echo "Cluster setup failed."
fi

Make sure the key pair is in the same directory with the script or you specify.

aws sts get-caller-identity - checks if the AWS identity is created correctly. if [ $? -eq 0 ] - check if the last command, in this case aws sts get-caller-identity succeeded without no error. If it equals 0, it should go ahead and create the cluster. After the cluster is created, print a created message else inform us the AWS credential was not configured correctly.

Cluster Nodes on EC2 dashboard

Clean Up

  # Delete EKS Cluster
  eksctl delete cluster my-cluster

As always, I look forward to getting your thoughts on this article. Please feel free to leave a comment!

Getting Started: Pod, Replicaset and Deployment in Kubernetes

Israel .O. Ayanda — Wed, 15 Feb 2023 16:22:45 +0000

This is a quick tutorial is meant to explore some common objects in kubernetes.

let's begin!

Kubernetes

Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

Prerequisites

Basic understanding of docker or containers

Pods

A pod is the smallest unit of kubernete cluster. It has a one to one relationship with a container. This means a pod should only hold one container. However, in some case, a pod can hold more than one related containers. To deploy an object in k8s, YAML file manifest is required with specific sections.

Let's explore how to deploy a simple nginx pod.

Deploying a Nginx Pod

Create pod manifest yaml file - nginx-pod.yaml

# Kubernetes api version
apiVersion: v1

# Type of kubernetes object to created
kind: Pod

# Provides information about the resource like name, label
metadata:
 name: nginx-pod
 labels:
  apps: nginx-pod

# Consists of the core information about Pod
spec:
 containers:
  - image: nginx:latest
    name: nginx-pod
    ports:
     - containerPort: 80
       protocol: TCP

# Use this shortcut for typing kubectl all time
alias k=kubectl

# Create a nginx pod
k create -f nginx-pod.yaml

# View the created pod
k get pods

# Get more information about the pod
k describe pod nginx-pod
or 
k get pod nginx-pod -o yaml

The nginx image used in the yaml file is was pull from the docker hub, in some cases the intended repo is explicitly stated.

The nginx pod is created, but it can not be viewed in the browser. Another Kubernetes object called Service is required to expose to the Pod.

Although, not reliable because of the ephemeral nature of pods, but for internal use only the container can be viewed by using a curl container dareyregistry/curl

# Run kubectl to connect inside the container
kubectl run curl --image=dareyregistry/curl -i --tty

# Type curl and your container's ip
 curl -v 10.244.0.40:80

Service

An abstract way to expose an application running on a set of Pods as a network service.

The Service manifest file fields are similar to that of the Pod. Let's take a look.

Create a yaml file for Service - nginx-service.yaml

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels:
    name: nginx-service
    app: server-service
spec:
  selector:
    app: nginx-pod
  ports:
    - port: 80
      protocol: TCP
      targetPort: 80

Note the selector field, this must be same as the labels (in this case, app: nginx-pod) in the pod manifest file. This help the service object to map to particular object since they may be many pod running at any particular instance. The targetPort is set to the same value as the port field. Additionally, the Service object can also use a nodePort field to expose the Pod externally, we will see this later.

# Create service for nginx
k apply -f nginx-service.yaml

# forward the port of the service to free port on your machine localhost
k port-forward svc/nginx-service 8089:80

Verify in the browser

# Clean up service
k delete svc nginx-service

# clean up pod
k delete po nginx-pod
## ReplicaSet

A ReplicaSet's purpose is to maintain a stable set of replica Pods running at any given time. As such, it is often used to guarantee the availability of a specified number of identical Pods.

The child field matchLabels of the selector field is used to identify the pod and a replica field is used to indicate how many pods should be maintained. It uses the template field to specify the data for the new Pod(s) it should create when scaling up or to meet the number of replicas criteria.

Let's see this in action

Create a replicaset manifest yaml file - rs.yaml

#Part 1
apiVersion: apps/v1
kind: ReplicaSet
metadata:
  name: nginx-rs
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx-pod

#Part 2
  template:
    metadata:
      name: nginx-pod
      labels:
         app: nginx-pod
    spec:
      containers:
      - image: nginx:latest
        name: nginx-pod
        ports:
        - containerPort: 80
          protocol: TCP

# Create replicaset for ngix pod. 
k create -f rs.yaml

# View replicaset
k get rs

# View pods created by replicaset
k get pods

# Delete one of the pods
k delete po nginx-rs-2czdx

Notice replica is set to 3, hence the 3 pods. If a pod is terminates, it recreates another pod from the configuration stated in the template field hence, it will always maintain 3 available pods unless specified otherwise.

# Clean up
k delete rs nginx-rs

Deployment

A Deployment is another layer above ReplicaSets and Pods, newer and more advanced level concept than ReplicaSets. It manages the deployment of ReplicaSets and allows for easy updating of a ReplicaSet as well as the ability to roll back to a previous version of deployment. It is declarative and can be used for rolling updates of micro-services, ensuring there is no downtime.

Officially, it is highly recommended to use Deplyments to manage replica sets rather than using replica sets directly.

The manifest file for a deployment looks similar to a replicaset but the kind is deployment.

Create a deployment manifest yaml file - deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    tier: frontend
spec:
  replicas: 3
  selector:
    matchLabels:
      tier: frontend
  template:
    metadata:
      labels:
        tier: frontend
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

# Create deployment
k create -f deployment.yaml

# view deployment, replicaset and pods
k get deploy,rs,pod

# Clean up
k delete deploy nginx-deployment

As always, I look forward to getting your thoughts on this tutorial. Please feel free to leave a comment!

Read here for more additional resources

Docker Compose: Deploy a Containerized Application

Israel .O. Ayanda — Thu, 26 Jan 2023 17:52:31 +0000

In the previous project, we deployed a containerized application with docker, which involved some processes like creating containers (MySQL server, application and Apache Server) separately, use of a Docker file, creating a network and running couple of docker commands on the command line interface (CLI). This process might become too tedious. Today, we will build on the previous project understanding and deploy our application containers in a more reliable, efficient and more simpler way using Docker Compose.

Docker Composer

Compose is a tool from Docker that is used to build applications that consist of more than one Docker container.
Containers in compose are called services. These services is defined with a YAML file which specify the configuration of your applications (For example, docker-compose.yml) and afterwards, create and start your multi-container with one command.

Prerequisite

Docker and compose is installed on your ubuntu instance or docker desktop for PC.
Basic understanding of docker and containers.
Basic Linux understanding will be helpful.
AWS free tier here

Let's Begin!!!

Deployment with Docker Compose

To follow along, clone the repo for the application here and change the directory to Tooling.

# Clone repo
git clone https://github.com/darey-devops/tooling.git

# change directory
cd tooling/

Create a file, name it tooling_app.yaml and paste the following code snippet.

version: "3.9"

services:
  tooling_frontend:
    build: .
    ports:
      - "5000:80"
    volumes:
      - tooling_frontend:/var/www/html
    depends_on:
      - db
  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_DATABASE: <The database name required by Tooling app >
      MYSQL_USER: <The user required by Tooling app >
      MYSQL_PASSWORD: <The password required by Tooling app >
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql
      - ./html/tooling_db_schema.sql:/docker-entrypoint-initdb.d/tooling_db_schema.sql
volumes:
  tooling_frontend:
  db:

Update the MYSQL_DATABASE, MYSQL_USER and MYSQL_PASSWORD in the configuration file above.

version: Specify the version of docker compose to use
services: Containers to be create and run
build: specifies the build configuration(the Dockerfile we usee in the previous project) for creating container image from source.
port: specifies the mapping of the host port to the container port
volumes: Specify the storage or data
depends_on: Express dependency between services
image: Specifies the docker image to run from.
restart: restart the container

Under services, you have the frontend application and the MySQL database. The YAML file also use the Dockerfile configuration in the directory.The Dockerfile specifies the configuration for the frontend and Apache Server.

Make sure the your update the html/db_conn.php.

MYSQL_IP mysql ip address "db" from the compose file
MYSQL_USER mysql username for user export as environment variable
MYSQL_PASS mysql password for the user exported as environment varaible
MYSQL_DBNAME mysql databse name "toolingdb"

html/db_conn.php

Give permission to docker, exit and login again

sudo usermod -aG docker ubuntu

Run the command to start the containers

# The f flag specifies the Compose configuration files

docker compose -f tooling_app.yaml  up

Verify that the compose is in the running status:

docker compose ls

Ensure port 5000 is opened in your security group.

Verify from the browser

Congratulation!!! You have successfully deployed a containerized web application using Docker Compose.

Repo: darey.io

As always, I look forward to getting your thoughts on this article. Please feel free to leave a comment!

Deploy a Containerized PHP Web Application with Docker

Israel .O. Ayanda — Thu, 12 Jan 2023 16:54:24 +0000

In this project, you will be deploying a simple PHP-based containerized solution backed by a MySQL database application using Docker.

Docker is an open source platform for shipping, developing and running application on any OS running a docker engine. It is fast, takes less space than VMs and can be distributed or shipped as a Docker image.

A quick 2 minutes read about Docker Container, Docker Image & Dockerfile

Prerequiste

Docker is installed on your ubuntu instance.
Basic understanding of docker and containers.
Basic Linux understanding will be helpful.
AWS free tier here

Let's Begin.

MySQL in Container

Let us start assembling the application from the backend Database layer – you will use a pre-built MySQL database container, configure it, and make sure it is ready to receive requests from the frontend PHP application.

Step 1: Pull MySQL Docker Image from Docker Hub Registry

In the termainal,

# Search available MySQL image in the docker hub registry

 docker search mysql-server

Next, you will pull the first on the list, which is the official and latest version and stored in the docker build cache locally.

# Download docker image locally from docker hub
docker pull mysql/mysql-server:latest

You made this pull to make the container creation process faster. Otherwise, skip step one and move to step two, which does the something.

Step 2: Deploy the MySQL Container to your Docker Engine

Once you have the docker image, move on to deploy a new MySQL container

# Create a MySQL container
docker run --name=mysqldb -e MYSQL_ROOT_PASSWORD=dontusethisinprod -d mysql/mysql-server:latest


# List all running containers
docker ps -a

Connecting to the MySQL Docker Container

Now, let's connect to the MySQL container directly

First Method

# Connect to the MySQL database and enter the from the initial step.

docker exec -it mysqldb mysql -uroot -p

# Exit the MySQL mode
exit

Flags

Database name = mysqldb
Username = -u
Password = -p
Interactive mode -it

You are going to use the second method below, so go ahead remove this container.

docker rm -f mysqldb

Second Method

After connecting to the MySQL container, you could go on can configure the schema and prepare it for the Frontend PHP application but this means you will be using the default bridge network which is the default way for connection for all containers. However, it better to create our own private network which enable us to control the network cidr.

Let's go ahead and create a network

# Create a new bridge network

docker network create --subnet=172.18.0.0/24 tooling_app_network

This time, let us create an environment variable to store the root password:

# Save the password using environment variable
export MYSQL_PW=password

# verify the environment variable is created
echo $MYSQL_PW

If you are using Window OS, run above command in your git bash terminal which comes with visual studio code editor.

To avoid name conflict, remember to remove the initial container as stated above. Now, pull the image and run the container, all in one command like this below

docker run --network tooling_app_network -h mysqlserverhost --name=mysql-server -e MYSQL_ROOT_PASSWORD=$MYSQL_PW  -d mysql/mysql-server:latest

Flags used

-d runs the container in detached mode
--network connects a container to a network
-h specifies a hostname

It is best practice not to connect to the MySQL server remotely using the root user. Therefore, you will create a SQL script that will create a user you can use to connect remotely.

Create a file and name it create_user.sql and add the below code in the file

 CREATE USER '<username>'@'%' IDENTIFIED BY '<password>'; 
 GRANT ALL PRIVILEGES ON * . * TO '<username>'@'%';

Replace the username and password to your values.

Now, run the script to create the new user. Ensure you are in the directory create_user.sql file is located.

docker exec -i mysql-server mysql -uroot -p$MYSQL_PW < create_user.sql

Prepare Database Schema

Now, you need to prepare a database schema so that the Tooling application can connect to it.

Clone the Tooling-app repository from here

git clone https://github.com/oayanda/tooling-1

You can find the schema in tooling PHP application repo.

ls ~/tooling-1/html/

Use the SQL script to create the database and prepare the schema. With the docker exec command, you can execute a command in a running container.

docker exec -i mysql-server mysql -uroot -p$MYSQL_PW < ~/tooling-1/html/tooling_db_schema.sql

Next, you need to update the .env file with connection details to the database. The .env file is located in the html ~/tooling/html/

# View the location of the file
ls la ~/tooling/html/

Let's update the connection to the database using the vi editor

vi ~/tooling-1/html/.env

Flags used:

MYSQL_IP mysql ip address "leave as mysqlserverhost"
MYSQL_USER mysql username for user export as environment variable
MYSQL_PASS mysql password for the user exported as environment varaible
MYSQL_DBNAME mysql databse name "toolingdb"

Update the servername, username, password& databasename in db_conn.php file in tooling/html directory

Run the Tooling App

You are almost there. Now you need to containerized the Frontend Application as well and then connect it to the MySQL database.

However, as you now know that you need a Dock image to create a Container but you need a Dockerfile to create a Docker image. In the cloned tooling application repo you now have on system is a Dockerfile which you going to used to build the docker image.

Ensure you are inside the directory "tooling" that has the file Dockerfile and build your container.

docker build -t tooling:0.0.1 .

In the above command, we specify a parameter -t, so that the image can be tagged "tooling.0.1" - Also, you have to notice the . at the end. This is important as that tells Docker to locate the Dockerfile in the current directory you are running the command. Otherwise, you would need to specify the absolute path to the Dockerfile

Run the container

docker run --network tooling_app_network -p 8085:80 -it tooling:0.0.1

Ensure to allow port 8085 for a TCP connection in your security group.

View the login page in browser

The default email is test@gmail.com, the password is 12345

Web application Repo from Darey.io

Congratulation!!! You have successfully deployed a containerized web application with MySQL backend on docker.

As always, I look forward to getting your thoughts on this article. Please feel free to leave a comment!

Getting Started: Docker Container, Docker Image & Dockerfile.

Israel .O. Ayanda — Wed, 04 Jan 2023 18:41:09 +0000

This article is meant to give a brief understanding of docker, it's components and use.

Docker
Docker is a software platform that simplifies the process of building, running, managing and distributing applications.

A Docker container is a loosely isolated environment running within a host machine’s kernel that allows us to run application-specific code along with it's dependencies.
Docker runs on top of the original host machine kernel.

The Kernel is the key program or software at the core an operating system with complete control of a computer or machine.

Docker Engine is an open source containerization technology for building and containerizing your applications and it consists of :-

Docker Server or Docker daemon
Docker Engine Application Program Interface (API)
Docker Command Line Interface (CLI)

The diagram below explains their relationships.

How are containers created?
In programming terms: Docker containers can be described as objects that are created by a class in docker called Docker images.

A Docker Image is an executable package that contains a read-only template with set of instructions used to build a container. When these instructions are executed, it creates a Docker container. It can be compared to a snapshot used in a Virtual machine (VM) environment.

These instructions defines all what the container needs, this includes the container code, libraries, environment variables, configuration files, and more. Hence, a docker container can also be thought of as an instance of the set of instructions defined in a docker image running on a host machine.

It is also important to understand the relationship between a docker image and a docker container. It is not always a one to one relationship. It can be one to one or one to many, that is, many docker containers can be created from one docker image.

Let's create a docker container

Install Docker desktop here
Choose your OS on the left menu and follow the installation instruction

Quick getting started docker commands

# Search the docker hub for available ubuntu images
docker search ubuntu

# Create a new container base on the ubuntu image
docker create -it --name=fooo ubuntu bash

# List of started containers
docker container ls

# List created containers
docker container ls -a

# Start a created container
docker start fooo

# Start a interactive mode (-it) on the container
docker attach fooo

# Run a command in a new container
docker run --name=bar -it ubuntu bash

# Exit interactive mode
Ctl q+p

# Check container history
docker logs fooo

# Stop container
docker stop fooo

# Remove container
docker rm fooo

How to create docker containers fooo & bar from a ubuntu image

Desktop view of docker containers fooo and bar

Dockerfile
A Dockerfile outlines instructions for how an image will create a container. It is a text document that contains all the commands a user could call on the command line to assemble an image.

As always, I look forward to getting your thoughts on this article. Please feel free to leave a comment!

Configuring AWS RDS, AWS EFS Storage, KMS and SSL certificate in ACM.

Israel .O. Ayanda — Fri, 30 Dec 2022 06:50:45 +0000

Now that the major networking services have be configured, next we will configure the data layer and security services.

Create Encryption Key in Amazon KMS
AWS Key Management Service (AWS KMS) create and control keys used to encrypt or digitally sign data. We will use the KMS key to encrypt the AWS RDS MYSQL database. This resource is region specific, hence for this project the KMS key will be created in us-east-1 as with other AWS resource.

In the Key Management Service dashboard, click on create key
Ensure Symmetric and Encrypt and decrypt is check and click next -Enter a Name, description and Tag

Select yourself as administrator

Give yourself key usage permission

Click Next to review and Finish

Amazon RDS
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud.
Amazon RDS supports couple of database engines including MYSQL database needed in this project.

Create Subnet groups
The DB subnet group defines which subnet(s) of VPC the database instance would deploy to.

Navigate to the Amazon RDS dashboard
In the left menu, click on subnet groups
Click on create subnet group
Enter Name, description and select VPC
Select availabity zone us-east-1a and us-east-1b
Select the subnet 10.0.5.0/24 and 10.0.6.0/24 as seen in the diagram.
Click create

Create RDS MySql database

Navigate to the Amazon RDS dashboard
Create database
Under Engine options - select MySql
Availability and durability - select Free tier (or Multi-AZ DB Cluster for high availability, data redundancy and increases capacity to serve read workloads)
Enter a Name and password for the database
Select the right VPC
Ensure the database subnet group is selected
Public access: No
Select the data layer security group we created earlier.
Select us-east-1a under Availability Zone
Leave other default options
Click create database

Create File Storage with EFS
Amazon Elastic File System (Amazon EFS) provides a simple, scalable, elastic file system for general purpose workloads for use with AWS Cloud services and on-premises resources.
It is serverless, elastic, set-and-forget file system that automatically grows and shrinks as you add and remove files with no need for management or provisioning.

Navigate Amazon EFS dashboard
Click on create file system
Enter Name, tag and click next

Select the appropriate VPC
Select private subnet 1 & 2 (10.0.2.0/24 and 10.0.4.0/24)
Next, review the setting and click on create

Access Point
One of the advantages of Amazon EFS is that, it is a shared file systems, meaning it can serve as a storage for more than one application. It keeps each application separate with the use of Access points. We will be hosting two applications.

Create Access Point for Two Applications

Click the name of the file system

Click on Access Points Tab and click create access point

Enter the following details for WordPress application and create access point

Name: wordpress
Path: /wordpress
POSIX user ID, Group ID, Owner user ID, group ID: 0
Access point permissions: 0755
Tag - Name: wordpress-ap

The second application is named Tooling

Enter the following details for Tooling application and create access point

Name: tooling
Path: /tooling
POSIX user ID, Group ID, Owner user ID, group ID: 0
Access point permissions: 0755
Tag: Name: tooling-ap

SSL Certificate
Amazon Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.

Create certificate

In the ACM dashboard click on Request a certificate
Ensure Request a public certificate is selected and click next
Use a wildcard ("") as the Fully qualified domain name ("".yourdomain.xx)

Accept the default values and click Request
Next Click List Certificate in the left menu
Click on the certificate you just created

Click on Create records in Route 53
Click on Create records

If you purchased your domain externally, you need to create a hosted zone in Route 53 and updated the DNS records.

After a few minute the certificate would be validated and issued.

Next, let's create AMI's for the web application.
Watch out for the concluding implementation.

Hands-on: Configuring a 3-tier autoscaling service with NGINX Reverse Proxy AWS.

Israel .O. Ayanda — Thu, 29 Dec 2022 14:37:14 +0000

In this article, I have described step by step process(s) by which to configure a AWS cloud solution for a company having 2 websites with a reverse proxy technology.

Use case: To build a secure infrastructure inside AWS VPC network for a company that uses WordPress CMS for its main business website, and a Tooling Website for their DevOps team. As part of the company’s desire for improved security and performance, a decision has been made to use a reverse proxy technology from NGINX to achieve this. Cost, Security, and Scalability are the major requirements for this project.

In this project, you will gain understanding and configure some AWS resources like VPC, Security groups, Auto Scaling groups, Target groups, Lunch Templates and much more by implementing the architecture diagram below.

This implementation have been divided into five major categories. As such, this tutorial is divided into five series as well to make it simple and easier to follow.

Prerequisites

An AWS account AWS free tier
Some Knowledge of Linux command
A Domain name (Your can get a free domain from Freenom)

Let's Get Started!!!

Reverse Proxy

A reverse proxy is the application that sits in front of back-end applications/servers and forwards client requests to those applications. Reverse proxies help increase scalability, performance, resilience and security. The resources returned to the client appear as if they originated from the web server itself.

NETWORKING

As with constructing a building, the foundation is always very important and that brings us to VPC. From the diagram above, you would see that the VPC is the backbone of the whole infrastructure. By the way, VPC means Virtual Private Cloud.

Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you've defined. This means most AWS resources would need VPC to communicate between each other except for a severless architecture read more

Create a VPC

Note: as shown in the above diagram, every account comes with a default VPC

# Let's create our VPC with these information below
- Set Resources to create to VPC only
- Set Name to any name of your choice
- Set IPv4 CIDR to 10.0.0.0/16

Leave the other options and click on create VPC

Next, we will configure the following are AWS resources that the VPC needs to provide the connectivity that our applications requires - Subnets, Route tables, Internet gateways, Elastic IPs, NAT gateways, Security groups.

Create Subnets

Subnets are simply groupings of IP addresses. A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the internet directly.

In the infrastructure diagram above, we need two public subnets (for the nginx reverse proxy and bastion server) and 4 private subnets (for the web servers and database). My region is set to US East (Northern Virginia) Region and I have decided to use two availabity zones(AZs) for this project namely us-east-1a and us-east-1b.

Still on the VPC dashboard, click on subnets

Click on create subnet
Note: The default the VPC comes other default features like default subnets, internet gateway, route tables etc.

# Create two Public Subnets
Set VPC ID to your newly create VPC
Set Subnet name to your preferred name
Set Availability Zone to us-east-1a
Set IPv4 CIDR block to 10.0.1.0/24

Create the second public subnet in Availability Zone us-east-1b and set IPv4 CIDR block to 10.0.3.0/24 as seen the diagram.

You can configure all 6 subnets on the same page by clicking add new subnets before you finally click on the create subnet button.

# Create 4 Private Subnets
Set Private subnet 1 in us-east-1a with IPv4 CIDR block 10.0.2.0/24
Set Private subnet 2 in us-east-1b with IPv4 CIDR block 10.0.4.0/24
Set Private subnet 3 in us-east-1a with IPv4 CIDR block 10.0.5.0/24
Set Private subnet 4 in us-east-1b with IPv4 CIDR block 10.0.6.0/24

Create Internet Gateway

The VPC needs a way to communicate with the internet to allow client communication, to do this we need to configure a internet gateway. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between a VPC and the internet.

Still on the VPC dashboard, click on internet gateways in the left menu and Click on Create Internet gateway

Enter a name for the internet gateway
Click on create internet gateway

Next click on Attach to VPC on the top right of the page or click on Actions
Select the your VPC and click attach Internet gateway

Create Elastic IP

We need an Elastic IP address as a requirement to configure the NAT gateway. The need would become clearer soon. An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing.

Click on Elastic Ips in on left menu for the VPC dashboard
Click on Allocate Elastic IP address
Enter a tag Name and click on Allocate

Create Nat Gateway

As seen in the infrastructure diagram above, the web servers and the data layer are placed in the private subnets, meaning that they don't have direct access from or to the internet which ensures security. However, under AWS shared responsibility for IaaS, it is our responsibility to manage patches and updates to the AWS resources we provision (for EC2 instance we used). Hence, we need to way for the EC2 instances to communicate with the internet to download patches. A NAT gateway enable us to do just that.

A NAT gateway is a Network Address Translation (NAT) service. it does not allow any inbound traffic from the internet but allows outbound traffic from the private subnets associated with it.

Click on Nat gateways on left menu of the VPC dashboard
Click Create NAT gateway
Enter a Name
Select a Public Subnet under Subnet
Connectivity type - Public
Elastic IP allocation ID - click the dropdown arrow to select the Elastic IP we just created
Create NAT gateway

Create Route table

A route table contains a set of rules, called routes, that determine where network traffic from the subnets or gateway is directed. For the infrastructure diagram above, we need one private route table for the four private subnets and one public route table for the two public subnets.

Create Private Route Table

Click route tables on the left menu on the VPC dashboard
Click create route table
Enter your preferred Name
Select your VPC from the dropdown
Click create route table

Repeat above steps to create the public route table.

Next, we need to associate the public subnet with the public route table and private subnet with the private route table.

Subnet Association with Route Table

Select the the Public route table
Click Actions on the top right of the route table dashboard
Click on Edit Subnet associations

Select the two public subnets
Click save associations

Repeat the steps above to associate the private subnets with the private route table. Make sure your select the four private subnets only.

Edit Routes for Route Tables
Now, we need to add the routes for communication in the route tables. For the Public route table, the internet gateway as the target and anywhere IP CIDR would be the destination. For the private route, the Nat gateway would be the target and anywhere IP.

Select the the Public route table
Click in Actions on the top right of the route table dashboard
Click on Edit routes

Click on Add route
Destination - 0.0.0.0/0
Target - internet gateway
Click save changes

For the Private Route
Repeat the steps above but for Target choose the Nat gateway you created.

Create Security Groups

Next, we will create the security groups needed for the AWS resources. A security group controls the inbound and outbound traffic from or to a AWS resource. To ensure the security of your infrastructure, it is important to allow only appropriate traffic from verified origin read more.

As seen in the infrastructure diagram above, we will need six security groups for :-

External Load Balancer - should accepts all https(port 443) & https(port 80) inbound request from the browser.

Click on Security Groups on the VPC dashboard
Click on create security group
Enter Name, description and select the appropriate VPC
click on Add rules under inbound rules
Select HTTP on port 80 and HTTPS on port 443 and IPV4 Anywhere IP (0.0.0.0/0) a the source
Enter a Name tag
Click create security group

Bastion Servers - should allow only SSH. The Bastion server will server as a jump server into any other instance/ server on the infrastructure for maintenance or troubleshooting purpose.

Add Name, tag and description as above
Add inbound rule as SSH
Click create security group

Nginx Servers - should accepts only inbound traffic from the external load balancer and bastion server.

Add Name, tag and description as above
Add inbound rules HTTPS, HTTP and select external load balancer security group as the source.

Internal Load Balancer - should allow only inbound rules from the nginx proxy server.

Add Name, tag and description as above
Add inbound rules HTTPS, HTTP and select Nginx reserve proxy security group as the source.

Webservers - should allow inbound rules from the internal load balancer and bastion server.

Add Name, tag and description as above
Add inbound rules HTTPS, HTTP and select Internal load balancer security group as the source.
Add inbound rule SSH and source as bastion security group

Data Layer - should allow inbound rules from the webserver and administrative access for the bastion server.

Add Name, tag and description as above
Add inbound rules MySQL/Aurora and select bastion security group as the source.
Add inbound rules MySQL/Aurora and select webserver security group as the source.
Add inbound rules NFS and select webserver security group as the source.

Don't worry everything would become clearer as we move on.

Next, we will configure and setup Amazon RDS for database, Amazon EFS for file storage, generate our database encryption key in AWS KMS and generate SSL certificate in AWS Certificate Manager.

As always, I look forward to getting your thoughts on this feature. Please feel free to leave a comment or click on the subscribe button for more updates.