DEV Community

Francisco Escobar
Francisco Escobar

Posted on

🚀 Proyecto Cloud 2: Arquitectura Segura Multi-AZ en AWS

📋 Introducción

En este proyecto aprenderás a construir una arquitectura robusta y segura en AWS utilizando múltiples zonas de disponibilidad (Multi-AZ). Este diseño garantiza alta disponibilidad, seguridad y escalabilidad para aplicaciones empresariales.

🎯 Objetivos del Proyecto

  • Crear una VPC personalizada con subredes públicas y privadas
  • Implementar capas de seguridad robustas
  • Configurar alta disponibilidad con failover automático
  • Aplicar cifrado con AWS KMS
  • Establecer mejores prácticas de seguridad

🏗️ Arquitectura Final

┌─────────────────────────────────────────────────────────────┐
│                      AWS Region                             │
├─────────────────────────────────────────────────────────────┤
│  ┌─────────────────┐           ┌─────────────────┐          │
│  │   AZ-1a         │           │   AZ-1b         │          │
│  │                 │           │                 │          │
│  │ ┌─────────────┐ │           │ ┌─────────────┐ │          │
│  │ │Public Subnet│ │           │ │Public Subnet│ │          │
│  │ │   ALB       │ │           │ │   ALB       │ │          │
│  │ └─────────────┘ │           │ └─────────────┘ │          │
│  │                 │           │                 │          │
│  │ ┌─────────────┐ │           │ ┌─────────────┐ │          │
│  │ │Private      │ │           │ │Private      │ │          │
│  │ │Subnet       │ │           │ │Subnet       │ │          │
│  │ │  EC2        │ │           │ │  EC2        │ │          │
│  │ │  RDS        │ │           │ │  RDS        │ │          │
│  │ └─────────────┘ │           │ └─────────────┘ │          │
│  └─────────────────┘           └─────────────────┘          │
└─────────────────────────────────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

🛠️ Herramientas Necesarias

  • Cuenta AWS activa
  • AWS CLI instalado
  • Editor de texto o IDE
  • Conocimientos básicos de networking

📝 FASE 1: Planificación y Diseño

1.1 Definir Requisitos

  • Disponibilidad: 99.9% uptime
  • Seguridad: Cifrado en tránsito y reposo
  • Escalabilidad: Auto scaling
  • Costo: Optimizado para desarrollo/producción

1.2 Diseño de Red

VPC CIDR: 10.0.0.0/16
├── AZ-1a (us-east-1a)
│   ├── Public Subnet: 10.0.1.0/24
│   └── Private Subnet: 10.0.3.0/24
└── AZ-1b (us-east-1b)
    ├── Public Subnet: 10.0.2.0/24
    └── Private Subnet: 10.0.4.0/24
Enter fullscreen mode Exit fullscreen mode

🌐 FASE 2: Creación de la VPC

2.1 Crear VPC Principal

aws ec2 create-vpc \
  --cidr-block 10.0.0.0/16 \
  --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=SecureVPC}]'
Enter fullscreen mode Exit fullscreen mode

En la Consola AWS:

  1. Ve a VPC Dashboard
  2. Click Create VPC
  3. Selecciona VPC only
  4. IPv4 CIDR: 10.0.0.0/16
  5. Name: SecureVPC

2.2 Configurar DNS

aws ec2 modify-vpc-attribute --vpc-id vpc-xxxxxxxxx --enable-dns-hostnames
aws ec2 modify-vpc-attribute --vpc-id vpc-xxxxxxxxx --enable-dns-support
Enter fullscreen mode Exit fullscreen mode

2.3 Crear Internet Gateway

aws ec2 create-internet-gateway \
  --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=SecureIGW}]'
Enter fullscreen mode Exit fullscreen mode

2.4 Asociar IGW a VPC

aws ec2 attach-internet-gateway \
  --internet-gateway-id igw-xxxxxxxxx \
  --vpc-id vpc-xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

🏠 FASE 3: Creación de Subredes

3.1 Subredes Públicas

AZ-1a - Subred Pública:

aws ec2 create-subnet \
  --vpc-id vpc-xxxxxxxxx \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Public-Subnet-1a}]'
Enter fullscreen mode Exit fullscreen mode

AZ-1b - Subred Pública:

aws ec2 create-subnet \
  --vpc-id vpc-xxxxxxxxx \
  --cidr-block 10.0.2.0/24 \
  --availability-zone us-east-1b \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Public-Subnet-1b}]'
Enter fullscreen mode Exit fullscreen mode

3.2 Subredes Privadas

AZ-1a - Subred Privada:

aws ec2 create-subnet \
  --vpc-id vpc-xxxxxxxxx \
  --cidr-block 10.0.3.0/24 \
  --availability-zone us-east-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Private-Subnet-1a}]'
Enter fullscreen mode Exit fullscreen mode

AZ-1b - Subred Privada:

aws ec2 create-subnet \
  --vpc-id vpc-xxxxxxxxx \
  --cidr-block 10.0.4.0/24 \
  --availability-zone us-east-1b \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Private-Subnet-1b}]'
Enter fullscreen mode Exit fullscreen mode

3.3 Habilitar IPs Públicas Automáticas

aws ec2 modify-subnet-attribute \
  --subnet-id subnet-xxxxxxxxx \
  --map-public-ip-on-launch
Enter fullscreen mode Exit fullscreen mode

🌉 FASE 4: NAT Gateway y Routing

4.1 Crear Elastic IPs

aws ec2 allocate-address --domain vpc --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=NAT-EIP-1a}]'
aws ec2 allocate-address --domain vpc --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=NAT-EIP-1b}]'
Enter fullscreen mode Exit fullscreen mode

4.2 Crear NAT Gateways

# NAT Gateway en AZ-1a
aws ec2 create-nat-gateway \
  --subnet-id subnet-xxxxxxxxx \
  --allocation-id eipalloc-xxxxxxxxx \
  --tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=NAT-1a}]'

# NAT Gateway en AZ-1b
aws ec2 create-nat-gateway \
  --subnet-id subnet-xxxxxxxxx \
  --allocation-id eipalloc-xxxxxxxxx \
  --tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=NAT-1b}]'
Enter fullscreen mode Exit fullscreen mode

4.3 Crear Route Tables

Route Table Pública:

aws ec2 create-route-table \
  --vpc-id vpc-xxxxxxxxx \
  --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Public-RT}]'
Enter fullscreen mode Exit fullscreen mode

Route Tables Privadas:

# Para AZ-1a
aws ec2 create-route-table \
  --vpc-id vpc-xxxxxxxxx \
  --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Private-RT-1a}]'

# Para AZ-1b
aws ec2 create-route-table \
  --vpc-id vpc-xxxxxxxxx \
  --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Private-RT-1b}]'
Enter fullscreen mode Exit fullscreen mode

4.4 Configurar Rutas

# Ruta pública hacia Internet
aws ec2 create-route \
  --route-table-id rtb-xxxxxxxxx \
  --destination-cidr-block 0.0.0.0/0 \
  --gateway-id igw-xxxxxxxxx

# Rutas privadas hacia NAT
aws ec2 create-route \
  --route-table-id rtb-xxxxxxxxx \
  --destination-cidr-block 0.0.0.0/0 \
  --nat-gateway-id nat-xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

🔐 FASE 5: Configuración de Seguridad

5.1 Security Groups

ALB Security Group:

aws ec2 create-security-group \
  --group-name ALB-SG \
  --description "Security group for Application Load Balancer" \
  --vpc-id vpc-xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Reglas para ALB:

# HTTP
aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxxxxxx \
  --protocol tcp \
  --port 80 \
  --cidr 0.0.0.0/0

# HTTPS
aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxxxxxx \
  --protocol tcp \
  --port 443 \
  --cidr 0.0.0.0/0
Enter fullscreen mode Exit fullscreen mode

Web Server Security Group:

aws ec2 create-security-group \
  --group-name WebServer-SG \
  --description "Security group for web servers" \
  --vpc-id vpc-xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Reglas para Web Server:

# HTTP desde ALB
aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxxxxxx \
  --protocol tcp \
  --port 80 \
  --source-group sg-xxxxxxxxx

# SSH desde Bastion
aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxxxxxx \
  --protocol tcp \
  --port 22 \
  --source-group sg-xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Database Security Group:

aws ec2 create-security-group \
  --group-name Database-SG \
  --description "Security group for RDS database" \
  --vpc-id vpc-xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

5.2 Network ACLs

Crear NACL Personalizada:

aws ec2 create-network-acl \
  --vpc-id vpc-xxxxxxxxx \
  --tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=Custom-NACL}]'
Enter fullscreen mode Exit fullscreen mode

Reglas NACL:

# Inbound HTTP
aws ec2 create-network-acl-entry \
  --network-acl-id acl-xxxxxxxxx \
  --rule-number 100 \
  --protocol tcp \
  --port-range From=80,To=80 \
  --cidr-block 0.0.0.0/0

# Outbound All
aws ec2 create-network-acl-entry \
  --network-acl-id acl-xxxxxxxxx \
  --rule-number 100 \
  --protocol -1 \
  --cidr-block 0.0.0.0/0 \
  --egress
Enter fullscreen mode Exit fullscreen mode

🗄️ FASE 6: Base de Datos Multi-AZ

6.1 Crear DB Subnet Group

aws rds create-db-subnet-group \
  --db-subnet-group-name secure-db-subnet-group \
  --db-subnet-group-description "Subnet group for secure database" \
  --subnet-ids subnet-xxxxxxxxx subnet-xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

6.2 Crear RDS Instance

aws rds create-db-instance \
  --db-instance-identifier secure-database \
  --db-instance-class db.t3.micro \
  --engine mysql \
  --master-username admin \
  --master-user-password YourSecurePassword123! \
  --allocated-storage 20 \
  --vpc-security-group-ids sg-xxxxxxxxx \
  --db-subnet-group-name secure-db-subnet-group \
  --multi-az \
  --storage-encrypted \
  --kms-key-id alias/aws/rds
Enter fullscreen mode Exit fullscreen mode

🔑 FASE 7: Cifrado con KMS

7.1 Crear KMS Key

aws kms create-key \
  --description "Key for secure multi-AZ architecture" \
  --key-usage ENCRYPT_DECRYPT \
  --key-spec SYMMETRIC_DEFAULT
Enter fullscreen mode Exit fullscreen mode

7.2 Crear Alias

aws kms create-alias \
  --alias-name alias/secure-multiaz-key \
  --target-key-id key-xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

7.3 Política de KMS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-ID:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

⚖️ FASE 8: Application Load Balancer

8.1 Crear ALB

aws elbv2 create-load-balancer \
  --name secure-alb \
  --subnets subnet-xxxxxxxxx subnet-xxxxxxxxx \
  --security-groups sg-xxxxxxxxx \
  --scheme internet-facing \
  --type application
Enter fullscreen mode Exit fullscreen mode

8.2 Crear Target Group

aws elbv2 create-target-group \
  --name web-servers-tg \
  --protocol HTTP \
  --port 80 \
  --vpc-id vpc-xxxxxxxxx \
  --health-check-path /health
Enter fullscreen mode Exit fullscreen mode

8.3 Crear Listener

aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:... \
  --protocol HTTP \
  --port 80 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:...
Enter fullscreen mode Exit fullscreen mode

🖥️ FASE 9: Instancias EC2

9.1 Crear Launch Template

aws ec2 create-launch-template \
  --launch-template-name secure-web-template \
  --launch-template-data '{
    "ImageId": "ami-0abcdef1234567890",
    "InstanceType": "t3.micro",
    "SecurityGroupIds": ["sg-xxxxxxxxx"],
    "KeyName": "your-key-pair",
    "UserData": "base64-encoded-user-data"
  }'
Enter fullscreen mode Exit fullscreen mode

9.2 Auto Scaling Group

aws autoscaling create-auto-scaling-group \
  --auto-scaling-group-name secure-asg \
  --launch-template LaunchTemplateName=secure-web-template,Version=1 \
  --min-size 2 \
  --max-size 4 \
  --desired-capacity 2 \
  --target-group-arns arn:aws:elasticloadbalancing:... \
  --vpc-zone-identifier "subnet-xxxxxxxxx,subnet-xxxxxxxxx"
Enter fullscreen mode Exit fullscreen mode

📊 FASE 10: Monitoreo y Alertas

10.1 CloudWatch Alarms

aws cloudwatch put-metric-alarm \
  --alarm-name "High-CPU-Usage" \
  --alarm-description "Alarm when CPU exceeds 70%" \
  --metric-name CPUUtilization \
  --namespace AWS/EC2 \
  --statistic Average \
  --period 300 \
  --threshold 70 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 2
Enter fullscreen mode Exit fullscreen mode

10.2 SNS Topic

aws sns create-topic --name secure-architecture-alerts
Enter fullscreen mode Exit fullscreen mode

🧪 FASE 11: Testing y Validación

11.1 Test de Conectividad

# Test desde instancia pública
ping google.com

# Test desde instancia privada
curl -I http://httpbin.org/ip
Enter fullscreen mode Exit fullscreen mode

11.2 Test de Failover

  1. Simular falla en AZ-1a
  2. Verificar que el tráfico se redirige a AZ-1b
  3. Confirmar que RDS failover funciona

11.3 Test de Seguridad

# Nmap scan
nmap -sS -O target-ip

# SSL/TLS test
testssl.sh https://your-domain.com
Enter fullscreen mode Exit fullscreen mode

🚀 FASE 12: Optimización y Mejores Prácticas

12.1 Optimización de Costos

  • Usar Reserved Instances para cargas estables
  • Implementar lifecycle policies para EBS
  • Configurar CloudWatch Logs retention

12.2 Security Hardening

  • Implementar AWS Config rules
  • Configurar AWS GuardDuty
  • Habilitar CloudTrail

12.3 Backup y Recovery

# Crear backup de RDS
aws rds create-db-snapshot \
  --db-instance-identifier secure-database \
  --db-snapshot-identifier secure-db-backup-$(date +%Y%m%d)
Enter fullscreen mode Exit fullscreen mode

🔍 Troubleshooting Común

Problema: Instancias no pueden acceder a Internet

Solución:

  1. Verificar que NAT Gateway esté en subred pública
  2. Confirmar rutas en route table privada
  3. Verificar Security Groups

Problema: ALB no puede comunicarse con instancias

Solución:

  1. Verificar Security Groups
  2. Confirmar health checks
  3. Verificar target group registration

Problema: RDS no accesible

Solución:

  1. Verificar Security Groups de base de datos
  2. Confirmar subnet group
  3. Verificar endpoint DNS

📈 Métricas de Éxito

KPIs Técnicos

  • Availability: > 99.9%
  • Response Time: < 200ms
  • Error Rate: < 0.1%
  • Recovery Time: < 5 minutos

Métricas de Seguridad

  • SSL Score: A+ en SSL Labs
  • Security Groups: Principio de menor privilegio
  • Encryption: 100% en tránsito y reposo

🎯 Próximos Pasos

  1. Implementar CI/CD Pipeline
  2. Configurar Container Orchestration
  3. Agregar WAF (Web Application Firewall)
  4. Implementar Blue/Green Deployment
  5. Configurar Multi-Region Disaster Recovery

📚 Recursos Adicionales


💡 Consejos Finales

  1. Documenta todo: Mantén un inventario de recursos
  2. Automatiza: Usa Infrastructure as Code (CloudFormation/Terraform)
  3. Monitorea continuamente: Implementa observabilidad completa
  4. Practica DR: Realiza simulacros de disaster recovery
  5. Mantente actualizado: AWS evoluciona constantemente

¡Felicidades! Has completado una arquitectura segura Multi-AZ completa. Esta base sólida te permitirá escalar y agregar nuevas funcionalidades de manera segura y eficiente.

¿Te gustó este tutorial? ¡Comparte tu experiencia en los comentarios!

Top comments (0)