DEV Community: ojo temitope seun

Secure Web Application Deployment Across Multiple Availability Zones in a VPC

ojo temitope seun — Mon, 30 Jun 2025 02:46:57 +0000

Project Overview

The primary objective of this project is to design and implement a highly available and scalable web application infrastructure within Amazon Web Services (AWS). The application will be deployed across multiple Availability Zones (AZs) within a Virtual Private Cloud (VPC) to ensure redundancy, fault tolerance, and load distribution.

Objectives

Designing a custom VPC with appropriate public subnets across two Availability Zones (eu-west-1a and eu-west-1b).
Deploying a web server with Apache and a sample web page.
Creating an Amazon Machine Image (AMI) for EC2 replication.
Configuring an Application Load Balancer (ALB) to evenly distribute traffic.
Setting up Auto Scaling Groups to handle variable traffic loads and improve fault tolerance.
Ensuring the entire setup is resilient, scalable, and publicly accessible through the ALB endpoint.
Register a custom domain and configure Route 53 DNS records for public accessibility.
Secure web traffic using AWS Certificate Manager (ACM) and HTTPS (port 443).

STEP 1 : Design a suitable network

STEP 2 : Draw the topology to meet this requirement

STEP 3 : Create Management VPC

STEP 4 :Create public subnets in two availability zones, eu-west-1a and eu-west-1b, respectively.

eu-west-1a

eu-west-1b

STEP 5: Create a Route Table for Each Subnet.

STEP 6: Create an EC2 Instance and Install the Web Application on It

Create an EC2 instance

Install Apache

sudo apt update
sudo apt install apache2 -y

Empty apache file using tee with /dev/null

sudo tee /var/www/html/index.html < /dev/null

Create the HTML file

sudo nano /var/www/html/index.html

Paste your HTML code into the file.
Save and exit (CTRL+O, ENTER, then CTRL+X)

Restart the web server

sudo systemctl restart apache2

STEP 7 : Create an AMI from the EC2 Instance Running the Web Application.

STEP 8: Create a Target Group for the Application Load Balancer.

STEP 9: Create an Application Load Balancer

STEP 10 : Create a launch template

STEP 11 : Create an Auto Scaling Group

Attach to load balancer

STEP 12 : Each of the two instances is running in a different Availability Zone.

STEP 13: Copy the DNS Name of the Elastic Load Balancer and Access It via a Web Browser.

elb-url (WEB-APP-LB-909414547.eu-west-1.elb.amazonaws.com)

STEP 14 : Create A record and attach to load balancer DNS name

Create a record from existing hosted zone

Open the website (http://web.dbesttech.it.com/)

STEP 15: Create a secured website access with the help of AWS Certificate Manager.

STEP 16: Create a record in Route 53 for AWS Certificate Manager validation.

STEP 15: Change the load balancer listener port from port 80 to 443.

STEP 15: Open a secured website (https://web.dbesttech.it.com/).

Conclusion

This project successfully demonstrated the end-to-end deployment of a web application across multiple Availability Zones within a custom Virtual Private Cloud (VPC) on AWS. By designing a robust network architecture and leveraging key AWS services such as EC2, AMI, Application Load Balancer (ALB), and Auto Scaling Groups, the solution achieved high availability, scalability, and fault tolerance.

The use of public subnets in multiple Availability Zones ensured that the web application remained accessible even in the event of an AZ failure. The load balancer provided efficient traffic distribution, while the launch template and auto-scaling configuration enabled the infrastructure to adapt dynamically to varying workloads.

This deployment aligns with cloud architecture best practices and lays a strong foundation for building resilient, performant, and scalable web applications in the cloud. Future improvements include integrating AWS WAF for enhanced security, using RDS in private subnets for data persistence, deploying CloudFront for global content delivery, and adding centralized monitoring and logging with Amazon CloudWatch and AWS Config for improved visibility.

With the growing demand for enterprise deployment of services in the cloud, ensuring seamless connectivity across multiple VPCs in the AWS cloud has become essential. AWS Transit Gateway is the ideal solution for this need. The article below provides a det

ojo temitope seun — Sat, 14 Dec 2024 13:34:39 +0000

AWS TRANSIT GATEWAY

ojo temitope seun ・ Dec 7 '24

#aws #awsnetworking #cloudsecurity #awssecurity

AWS TRANSIT GATEWAY

ojo temitope seun — Sat, 07 Dec 2024 14:42:31 +0000

Transit Gateway

Transit Gateway, introduced in 2018, helps manage multiple VPCs and connect AWS to on-premises networks. It simplifies inter-VPC connectivity by acting as a centralized hub, replacing the complex mesh architecture required in traditional VPC peering.

Objectives

To understand the architecture and setup process of AWS Transit Gateway.
To demonstrate practical implementation through a lab, including routing, EC2 instance setup, and connectivity tests.

AWS Transit Gateway Overview and Key Benefits

Simplified Inter-VPC Connectivity: Transit Gateway uses a hub-and-spoke model, eliminating the need for full-mesh connectivity (n(n-1)/2 connections).
Centralized Traffic Inspection: By deploying virtual appliances in a centralized VPC, traffic can be monitored efficiently.
Scalability: Allows interconnection of thousands of VPCs and on-premises networks.

Key Features:
o Multicast support
o Appliance mode
o Availability Zone considerations
o Transit Gateway sharing

Supported Attachments:
o VPCs
o Peering connections with other Transit Gateways
o SD-WAN or third-party network appliances (via Connect)
o VPNs
o Direct Connect Gateway

Transit Gateway Setup

Prerequisites

VPCs should not have overlapping CIDRs.
Supports both Static Routing and Dynamic Routing (via Border Gateway Protocol).

AWS TRANSIT GATEWAY LAB TOPOLOGY

Lab Steps

Step 1: Create Three VPCs and Subnets:

VPC-A: 172.16.0.0/16

Public Subnet-A: 172.16.0.0/24
Private Subnet-A: 172.16.1.0/24

VPC-B: 172.17.0.0/16
Private Subnet-B: 172.17.1.0/24
VPC-C: 172.18.0.0/16
Private Subnet-C: 172.18.1.0/24

VPC CREATED

SUBNETS

Step 2: Create a route for each VPC.

Step 3: Create Transit Gateway.

Step 4: Create Attachments for Each VPC.
Attach VPC-A, VPC-B, and VPC-C to the Transit Gateway.

Step 5: Modify Route Tables:
Create a static route in VPC-A pointing to VPC-B and VPC-C.

Create a static route in VPC-B pointing to VPC-A and VPC-C.

Create a static route in VPC-C pointing to VPC-A and VPC-B.

Step 6: Deploy a Jump Host in VPC-A
Public subnet: 172.16.0.0/24.
Public Subnet IP Address-A: 172.16.0.7

Step 7: Launch EC2 Instances in Each VPC

Public subnet IP Address-A = 172.16.0.7/24
Private Subnet IP Address -A = 172.16.1.95/24
Private Subnet IP Address -B= 172.17.1.108 /24
Private Subnet IP Address -C = 172.18.1.153 /24

Step 8: Testing Connectivity:
SSH from the Jump Host in VPC-A to EC2 instances in VPC-B and VPC-C.
Ping between private IPs to verify routing:
VPC-A ↔ VPC-B

**VPC-A ↔ VPC-C**

CONCLUSION

AWS Transit Gateway provides a scalable and efficient solution for managing multiple VPCs and connecting on-premises networks. Its hub-and-spoke architecture simplifies inter-VPC connectivity, eliminates the complexities of full-mesh peering, and centralizes traffic inspection for better network visibility and security. With features like multicast support, dynamic and static routing, and compatibility with SD-WAN and Direct Connect, Transit Gateway is ideal for organizations seeking a robust and streamlined networking solution.

By following the outlined steps to set up and test Transit Gateway, users can efficiently connect and manage their VPCs, ensuring seamless communication and optimized network performance. Whether for large-scale enterprise use or smaller deployments, AWS Transit Gateway offers the flexibility and reliability needed to meet modern networking demands.

AWS GUARDDUTY

ojo temitope seun — Sat, 20 Apr 2024 08:53:33 +0000

What is Amazon GuardDuty?
Amazon GuardDuty is a pay-as-you-go threat detection service that continuously monitors for malicious activity and anomalous behavior to help protect your AWS accounts, workloads, and data. It continuously monitors and analyzes activity within your AWS environment to identify potentially malicious or unauthorized behavior. GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify threats such as unusual API calls, potentially compromised instances, unauthorized access attempts, and instances of cryptocurrency mining.

BENEFITS OF GUARDDUTY

Continuous Monitoring: GuardDuty continuously analyzes events and log data from various AWS data sources including AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs to detect potential security threats.
Threat Detection: It uses a combination of signature-based detection, anomaly detection, and machine learning algorithms to identify potential security threats and suspicious activities within your AWS environment.
Integrated Threat Intelligence: GuardDuty integrates with AWS Security Hub and AWS Lambda to provide threat intelligence feeds from AWS, as well as third-party sources, to enhance threat detection capabilities.
Centralized Dashboard: GuardDuty provides a centralized dashboard where you can view security findings, prioritize alerts based on severity, and investigate security incidents.
Automated Remediation: GuardDuty can automatically respond to certain types of security threats by triggering AWS Lambda functions or AWS CloudWatch Events to initiate automated remediation actions.

WHAT IS GUARDDUTY FINDINGS
Findings indicate potential security issues due to malicious activity occurring in your AWS account.

Below are the types of Amazon GuardDuty findings :

1.Malware protection
GuardDuty will flag suspicious files installed on an EC2 instance.

2.RDS Protection
It will detect any anomalous behaviour, such as failed login attempts to the Relational Database.

3.EC2 Finding Types
Unauthorized access to EC2 instance using SSH bruteforce

4.IAM Finding Types
IAM user disabling CloudTrailLogging, IAMuser using root credentials

The Malware Detection on EC2 instance as a use case and the following is a walk through guide
Guardduty can be used to scan EC2 instance workload to detect and flag any threat .
Below are the steps to implement this :
NETWORK DIAGRAM

a. Enable Guardduty on your account by click on Get Started

Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
Choose Get Started.
Choose Enable GuardDuty.

b. Launch Microsoft window server and download a test malware on it.
The malware will not be detected automatically until you scan it with guard duty.

c. Malware scan with Guardduty

Using the Malware Scans page:

In the navigation pane, choose Malware Scans.

Choose Start on-demand scan and provide the Amazon EC2 instance ARN1 for which you want to initiate the scan.

d. The result after the GuardDuty scan reveals that a threat was found on the Windows server that was scanned, requiring urgent attention.

CONCLUSION
Amazon GuardDuty has a variety of applications, one of which is malware detection, as explained in detail above. Feel free to follow these steps and practice on your own. Amazon GuardDuty offers 30 days of free use for you to explore and learn various uses of the tool. Thank you for your time; we would also appreciate your feedback and contribution.

Implementing SSL VPN Using FortiGate in AWS Cloud

ojo temitope seun — Sun, 10 Mar 2024 14:27:36 +0000

DEPLOYMENT OF FORTIGATE SSL VPN IN AWS CLOUD

There has been a significant increase in the deployment of enterprise applications and services in the cloud. This has necessitated the need for an additional layer of security and flexibility for services hosted in the cloud. Below are the advantages this deployment will offer:

a. It provides additional security to services and applications hosted on the AWS cloud.

b. It allows easy accessibility of services and applications hosted on the AWS platform.

c. Users do not need to have AWS accounts before they can access and modify applications hosted on AWS.

d. It provides privacy for services and applications.

WHAT IS SSLVPN?

Secure Socket Layer Virtual Private Network (SSLVPN), is an example of VPN (Virtual Private Network) technology that utilizes SSL/TLS protocols to provide secure remote access to a private network. SSLVPN enables users to securely access applications and resources on a private network from a remote location through an encrypted connection over the internet.

STEPS FOR FORTIGATE CLOUD DEPLOYMENT IN AWS

          NETWORK DIAGRAM

1.CREATE A VPC: The first thing that is required is to create a VPC inside the AWS cloud.
For this VPC 10.10.0.0/16 subnet will be used with name tag SSLVPN-VPC

2.CREATE SUBNET
Create a list of three subnets, with the first one being the public subnet and the remaining two being private subnets.
The subnets shall be named as follows:
10.10.1.0/24 = Subnet_A
10.10.2.0/24 = Subnet_B
10.10.3.0/24 = subnet_C

3.CONFIGURE ROUTING
Create a separate routing table for each of the three subnets. They will be named:
10.10.1.0/24 = Route_A
10.10.2.0/24 = Route_B
10.10.3.0/24 = Route_C

4. CREATE SECURITY GROUPS
Create a security group and allow the following protocols inbound, including ports 22, 80, 443, and 10443. The security group is named SSL-VPN-SG

5. CREATE ENI FOR PRIVATE NETWORKS
Elastic Network Interfaces (ENIs) should be created for each subnet. They will be named as shown below:

ENI-A,ENI-B and ENI-C

6. LAUNCH FORTIGATE FIREWALL AND ATTACH ELASTIC NETWORK INTERFACE (ENI).

Launch the Fortigate firewall instance from the AWS Marketplace. In this scenario, I am using Instance type of t3.medium

7. CHANGE THE DEFAULT LOGIN DETAILS
When you launch Fortigate Firewall, it gives you the default username as admin and the password as instance ID. It is mandatory to change the password

8. ATTACH TWO ADDITIONAL LOCAL INTERFACES TO THE FORTIGATE

BEFORE THE INTERFACES ARE ADDED

HOW TO ADD THE INTERFACE

AFTER THE INTERFACES ARE ADDED

9. CONFIGURE GATEWAY ADDRESS ON THE FIREWALL WITH THE IP ADDRESS OF THE NETWORK INTERFACES

10. CONFIGURE USER DEFINITIONS AND USER GROUPS.

11. CONFIGURE IP SUBNET FOR SSL REMOTE VPN

12. CONFIGURE VPN PORTAL

13. CONFIGURE SSL VPN SETTINGS

b. CONFIGURE OTHER USER GROUPS TO USE SSLVPN WEB MODE

C. CONFIGURE SSL_GROUPS TO USE SSLVPN TUNNEL MODE

14. ADD DEFAULT ROUTE FOR ALL THE SUBNETS.
a.POINT DEFAULT ROUTE FOR SUBNET_A TO INTERNET GATEWAY (IGW)

b.POINT DEFAULT ROUTE FOR SUBNET_B AND SUBNET_C TO FORTIGATE ENI.

15. CREATE FIREWALL POLICY

a. Create a firewall policy that allows local LAN_1 access to internet .

b. Create a firewall policy that allows local LAN_2 access to internet

c. create a firewall policy that allows internet (inbound traffic) access to LAN_1

d. create a firewall policy that allows internet (inbound traffic) access to LAN_2

16. CONNECT TO AWS SERVICES ON A PRIVATE CLOUD USING SSLVPN WITH FORTICLIENT.

17. LAUNCH AMAZON INSTANCE INSIDE LAN_2 SUBNET

18. TEST CONNECTIVITY FROM USER PC ON INTERNET TO AMAZON INSTANCE LAUNCH INSIDE LAN_2 SUBNET

19. CONNECT TO AMAZON INSTANCE LAUNCH INSIDE LAN_2 SUBNET AND TEST INTERNET ACCESS

CONCLUSION
This guide outlines a straightforward process for deploying an SSL VPN using FortiGate in the cloud. I trust it will be beneficial as you embark on your deployment journey. Please be aware that utilizing the FortiGate AWS Marketplace will incur charges for both instance usage and software. However, opting for a lower instance type on AWS can help minimize instance costs. Additionally, you can use a trial unit of this product for 30 days without incurring software charges, though AWS infrastructure charges will still be applicable.

NAT GATEWAY IMPLEMENTATION ON AWS CLOUD

ojo temitope seun — Sat, 17 Jun 2023 16:13:03 +0000

NAT GATEWAY
A NAT gateway is a Network Address Translation (NAT) service in AWS that allows instances in a private subnet to access the internet but prevents inbound traffic from accessing the internal instance.

ADVANTAGES OF NAT-GW

It enhances security for private networks by keeping internal addressing private from the external network.
A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps.
It is AWS managed service that has higher bandwidth, better availability, and no admin work required.

Conditions for NAT-GW Implementation

a. NAT is created in a specific availability zone using an elastic IP address (EIP). Note that NAT GW does not support inter-AZ. That is , you cannot create instances in different AZs communicating with each other via NAT GW.

b. For a NAT GW to be created, there must be an existing internet gateway attached to the public VPC where you want to create your NAT GW.

c. NAT GW only works within the VPC; separate subnets should be created for private and public subnets within the same VPC.

d. A NAT GW is created inside the public subnet, but the default route is added on the private network using the NAT GW to access the internet.

STEPS TO SET UP NAT GW
a. Create the NAT GW in the public subnet.

b. Add a default route pointing to the NAT-GW on the private subnet.

c. SSH into the public EC2 instance and import key pairs for the private EC2 instance created.

d. Give permission to the private EC2 keypair.

e. SSH from the public instance to the private instance.

f. login Successfully to the private instance and ping any websites on internet

Thanks for your time

ANALYZING VPC FLOW LOGS USING ANTHENA

ojo temitope seun — Sat, 13 May 2023 11:40:12 +0000

Flow Logs is a unique feature that enables you to capture traffic inbound and outbound from your AWS network interfaces. There are three types of flow logs:
a. VPC flow logs
b. Subnet Flow Logs
c. Elastic Network Interface Flow logs.

Our focus will be on VPC flow logs. As the name implies, we will capture traffic entering and leaving VPC interfaces. VPC flow logs can be stored in either Cloudwatch logs or Amazon S3.

The logs that will be captured for this scenario will be stored in Amazon S3 and queryable on the Anthena platform for simplified output.

Kindly follow the steps below:

STEP 1

Create the VPC flow logs on the existing VPC

STEP 2
Give the flowlog a name and specify the destination where the logs will be stored. In our case, we are storing the logs captured inside the S3 bucket. For this reason,specify the S3 bucket ARN where you want to store your log.

STEP 3
Log files have been stored in an S3 bucket.

STEP 4
Create a work group on Anthena.
https://docs.aws.amazon.com/athena/latest/ug/vpc-flow-logs.html


![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/72kcbk1u93zdpt6rjv1x.png)

STEP 5.

Create a table in the default database.

CREATE EXTERNAL TABLE IF NOT EXISTS vpc_flow_logs (
version int,
account_id string,
interface_id string,
srcaddr string,
dstaddr string,
srcport int,
dstport int,
protocol bigint,
packets bigint,
bytes bigint,
start bigint,
end bigint,
action string,
log_status string,
vpc_id string,
subnet_id string,
instance_id string,
tcp_flags int,
type string,
pkt_srcaddr string,
pkt_dstaddr string,
region string,
az_id string,
sublocation_type string,
sublocation_id string,
pkt_src_aws_service string,
pkt_dst_aws_service string,
flow_direction string,
traffic_path int
)
PARTITIONED BY (date date)
ROW FORMAT DELIMITED
FIELDS TERMINATED BY ' '
LOCATION 's3://s3flowlog1/AWSLogs/003985890001/vpcflowlogs/us-east-1/'
TBLPROPERTIES ("skip.header.line.count"="1");

STEP 6.

Alter the table and add a partition.

ALTER TABLE vpc_flow_logs
ADD PARTITION (date='2023-05-11')
LOCATION 's3://s3flowlog1/AWSLogs/003985890001/vpcflowlogs/us-east-1/2023/05/131';

STEP 7

Query the database and analyze your output.

a.
SELECT * FROM vpc_flow_logs .
b.
SELECT
interface_id,
srcaddr,
action,
protocol
FROM vpc_flow_logs
WHERE action = 'REJECT' AND protocol = 6
LIMIT 10
c.
SELECT
interface_id,
srcaddr,
action,
protocol
FROM vpc_flow_logs
WHERE action = 'REJECT' AND protocol = 6

Enabling IPV6 on an Amazon EC2 instance

ojo temitope seun — Sun, 07 May 2023 17:08:33 +0000

By default, AWS EC2 instances are not connected to IPV6. Due to IPV6's benefits, we will want our EC2 instance to have it in a number of situations, including the following:

No more NAT (Network Address Translation)
Auto-configuration
No more private address collisions
Better multicast routing
Simpler header format
Simplified, more efficient routing
True quality of service (QoS), also called "flow labeling"
Built-in authentication and privacy support
Flexible options and extensions
Easier administration (no more DHCP)

I'll walk you through setting up your EC2 instance with an IPV6 address in no time today.

TOPOLOGY

STEP1 .

GO TO YOUR VPC AND EDIT CIDR

STEP2.

Edit CIDR , there is no associated IPV6 by default

STEP 3
Add new IPV6 CIDR

STEP 4
IPv6 will now associate itself with the VPC , the same way ipv4 was associated by default

STEP 5
Go to the subnet and enable IPV6 on us-east-1a subnet

STEP 6
Add subnet CIDR block

STEP 7
Edit ROUTE TABLES and point default ipv6 routes to INTERNET GATEWAY

STEP 8
Go ahead and launch your EC2 instance using the VPC edited

STEP 9
EC2 has been launched successfully with associated IPV6

STEP 10
Check your ipv6 configuration and ping to IPV6 google public DNS (2001:4860:4860::8888)