π IntroducciΓ³n
En este proyecto aprenderΓ‘s a construir una arquitectura robusta y segura en AWS utilizando mΓΊltiples zonas de disponibilidad (Multi-AZ). Este diseΓ±o garantiza alta disponibilidad, seguridad y escalabilidad para aplicaciones empresariales.
π― Objetivos del Proyecto
- Crear una VPC personalizada con subredes pΓΊblicas y privadas
- Implementar capas de seguridad robustas
- Configurar alta disponibilidad con failover automΓ‘tico
- Aplicar cifrado con AWS KMS
- Establecer mejores prΓ‘cticas de seguridad
ποΈ Arquitectura Final
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AWS Region β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β βββββββββββββββββββ βββββββββββββββββββ β
β β AZ-1a β β AZ-1b β β
β β β β β β
β β βββββββββββββββ β β βββββββββββββββ β β
β β βPublic Subnetβ β β βPublic Subnetβ β β
β β β ALB β β β β ALB β β β
β β βββββββββββββββ β β βββββββββββββββ β β
β β β β β β
β β βββββββββββββββ β β βββββββββββββββ β β
β β βPrivate β β β βPrivate β β β
β β βSubnet β β β βSubnet β β β
β β β EC2 β β β β EC2 β β β
β β β RDS β β β β RDS β β β
β β βββββββββββββββ β β βββββββββββββββ β β
β βββββββββββββββββββ βββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π οΈ Herramientas Necesarias
- Cuenta AWS activa
- AWS CLI instalado
- Editor de texto o IDE
- Conocimientos bΓ‘sicos de networking
π FASE 1: PlanificaciΓ³n y DiseΓ±o
1.1 Definir Requisitos
- Disponibilidad: 99.9% uptime
- Seguridad: Cifrado en trΓ‘nsito y reposo
- Escalabilidad: Auto scaling
- Costo: Optimizado para desarrollo/producciΓ³n
1.2 DiseΓ±o de Red
VPC CIDR: 10.0.0.0/16
βββ AZ-1a (us-east-1a)
β βββ Public Subnet: 10.0.1.0/24
β βββ Private Subnet: 10.0.3.0/24
βββ AZ-1b (us-east-1b)
βββ Public Subnet: 10.0.2.0/24
βββ Private Subnet: 10.0.4.0/24
π FASE 2: CreaciΓ³n de la VPC
2.1 Crear VPC Principal
aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=SecureVPC}]'
En la Consola AWS:
- Ve a VPC Dashboard
- Click Create VPC
- Selecciona VPC only
- IPv4 CIDR:
10.0.0.0/16 - Name:
SecureVPC
2.2 Configurar DNS
aws ec2 modify-vpc-attribute --vpc-id vpc-xxxxxxxxx --enable-dns-hostnames
aws ec2 modify-vpc-attribute --vpc-id vpc-xxxxxxxxx --enable-dns-support
2.3 Crear Internet Gateway
aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=SecureIGW}]'
2.4 Asociar IGW a VPC
aws ec2 attach-internet-gateway \
--internet-gateway-id igw-xxxxxxxxx \
--vpc-id vpc-xxxxxxxxx
π FASE 3: CreaciΓ³n de Subredes
3.1 Subredes PΓΊblicas
AZ-1a - Subred PΓΊblica:
aws ec2 create-subnet \
--vpc-id vpc-xxxxxxxxx \
--cidr-block 10.0.1.0/24 \
--availability-zone us-east-1a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Public-Subnet-1a}]'
AZ-1b - Subred PΓΊblica:
aws ec2 create-subnet \
--vpc-id vpc-xxxxxxxxx \
--cidr-block 10.0.2.0/24 \
--availability-zone us-east-1b \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Public-Subnet-1b}]'
3.2 Subredes Privadas
AZ-1a - Subred Privada:
aws ec2 create-subnet \
--vpc-id vpc-xxxxxxxxx \
--cidr-block 10.0.3.0/24 \
--availability-zone us-east-1a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Private-Subnet-1a}]'
AZ-1b - Subred Privada:
aws ec2 create-subnet \
--vpc-id vpc-xxxxxxxxx \
--cidr-block 10.0.4.0/24 \
--availability-zone us-east-1b \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Private-Subnet-1b}]'
3.3 Habilitar IPs PΓΊblicas AutomΓ‘ticas
aws ec2 modify-subnet-attribute \
--subnet-id subnet-xxxxxxxxx \
--map-public-ip-on-launch
π FASE 4: NAT Gateway y Routing
4.1 Crear Elastic IPs
aws ec2 allocate-address --domain vpc --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=NAT-EIP-1a}]'
aws ec2 allocate-address --domain vpc --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=NAT-EIP-1b}]'
4.2 Crear NAT Gateways
# NAT Gateway en AZ-1a
aws ec2 create-nat-gateway \
--subnet-id subnet-xxxxxxxxx \
--allocation-id eipalloc-xxxxxxxxx \
--tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=NAT-1a}]'
# NAT Gateway en AZ-1b
aws ec2 create-nat-gateway \
--subnet-id subnet-xxxxxxxxx \
--allocation-id eipalloc-xxxxxxxxx \
--tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=NAT-1b}]'
4.3 Crear Route Tables
Route Table PΓΊblica:
aws ec2 create-route-table \
--vpc-id vpc-xxxxxxxxx \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Public-RT}]'
Route Tables Privadas:
# Para AZ-1a
aws ec2 create-route-table \
--vpc-id vpc-xxxxxxxxx \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Private-RT-1a}]'
# Para AZ-1b
aws ec2 create-route-table \
--vpc-id vpc-xxxxxxxxx \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Private-RT-1b}]'
4.4 Configurar Rutas
# Ruta pΓΊblica hacia Internet
aws ec2 create-route \
--route-table-id rtb-xxxxxxxxx \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id igw-xxxxxxxxx
# Rutas privadas hacia NAT
aws ec2 create-route \
--route-table-id rtb-xxxxxxxxx \
--destination-cidr-block 0.0.0.0/0 \
--nat-gateway-id nat-xxxxxxxxx
π FASE 5: ConfiguraciΓ³n de Seguridad
5.1 Security Groups
ALB Security Group:
aws ec2 create-security-group \
--group-name ALB-SG \
--description "Security group for Application Load Balancer" \
--vpc-id vpc-xxxxxxxxx
Reglas para ALB:
# HTTP
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxxx \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
# HTTPS
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxxx \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
Web Server Security Group:
aws ec2 create-security-group \
--group-name WebServer-SG \
--description "Security group for web servers" \
--vpc-id vpc-xxxxxxxxx
Reglas para Web Server:
# HTTP desde ALB
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxxx \
--protocol tcp \
--port 80 \
--source-group sg-xxxxxxxxx
# SSH desde Bastion
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxxx \
--protocol tcp \
--port 22 \
--source-group sg-xxxxxxxxx
Database Security Group:
aws ec2 create-security-group \
--group-name Database-SG \
--description "Security group for RDS database" \
--vpc-id vpc-xxxxxxxxx
5.2 Network ACLs
Crear NACL Personalizada:
aws ec2 create-network-acl \
--vpc-id vpc-xxxxxxxxx \
--tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=Custom-NACL}]'
Reglas NACL:
# Inbound HTTP
aws ec2 create-network-acl-entry \
--network-acl-id acl-xxxxxxxxx \
--rule-number 100 \
--protocol tcp \
--port-range From=80,To=80 \
--cidr-block 0.0.0.0/0
# Outbound All
aws ec2 create-network-acl-entry \
--network-acl-id acl-xxxxxxxxx \
--rule-number 100 \
--protocol -1 \
--cidr-block 0.0.0.0/0 \
--egress
ποΈ FASE 6: Base de Datos Multi-AZ
6.1 Crear DB Subnet Group
aws rds create-db-subnet-group \
--db-subnet-group-name secure-db-subnet-group \
--db-subnet-group-description "Subnet group for secure database" \
--subnet-ids subnet-xxxxxxxxx subnet-xxxxxxxxx
6.2 Crear RDS Instance
aws rds create-db-instance \
--db-instance-identifier secure-database \
--db-instance-class db.t3.micro \
--engine mysql \
--master-username admin \
--master-user-password YourSecurePassword123! \
--allocated-storage 20 \
--vpc-security-group-ids sg-xxxxxxxxx \
--db-subnet-group-name secure-db-subnet-group \
--multi-az \
--storage-encrypted \
--kms-key-id alias/aws/rds
π FASE 7: Cifrado con KMS
7.1 Crear KMS Key
aws kms create-key \
--description "Key for secure multi-AZ architecture" \
--key-usage ENCRYPT_DECRYPT \
--key-spec SYMMETRIC_DEFAULT
7.2 Crear Alias
aws kms create-alias \
--alias-name alias/secure-multiaz-key \
--target-key-id key-xxxxxxxxx
7.3 PolΓtica de KMS
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-ID:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
βοΈ FASE 8: Application Load Balancer
8.1 Crear ALB
aws elbv2 create-load-balancer \
--name secure-alb \
--subnets subnet-xxxxxxxxx subnet-xxxxxxxxx \
--security-groups sg-xxxxxxxxx \
--scheme internet-facing \
--type application
8.2 Crear Target Group
aws elbv2 create-target-group \
--name web-servers-tg \
--protocol HTTP \
--port 80 \
--vpc-id vpc-xxxxxxxxx \
--health-check-path /health
8.3 Crear Listener
aws elbv2 create-listener \
--load-balancer-arn arn:aws:elasticloadbalancing:... \
--protocol HTTP \
--port 80 \
--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:...
π₯οΈ FASE 9: Instancias EC2
9.1 Crear Launch Template
aws ec2 create-launch-template \
--launch-template-name secure-web-template \
--launch-template-data '{
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"SecurityGroupIds": ["sg-xxxxxxxxx"],
"KeyName": "your-key-pair",
"UserData": "base64-encoded-user-data"
}'
9.2 Auto Scaling Group
aws autoscaling create-auto-scaling-group \
--auto-scaling-group-name secure-asg \
--launch-template LaunchTemplateName=secure-web-template,Version=1 \
--min-size 2 \
--max-size 4 \
--desired-capacity 2 \
--target-group-arns arn:aws:elasticloadbalancing:... \
--vpc-zone-identifier "subnet-xxxxxxxxx,subnet-xxxxxxxxx"
π FASE 10: Monitoreo y Alertas
10.1 CloudWatch Alarms
aws cloudwatch put-metric-alarm \
--alarm-name "High-CPU-Usage" \
--alarm-description "Alarm when CPU exceeds 70%" \
--metric-name CPUUtilization \
--namespace AWS/EC2 \
--statistic Average \
--period 300 \
--threshold 70 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 2
10.2 SNS Topic
aws sns create-topic --name secure-architecture-alerts
π§ͺ FASE 11: Testing y ValidaciΓ³n
11.1 Test de Conectividad
# Test desde instancia pΓΊblica
ping google.com
# Test desde instancia privada
curl -I http://httpbin.org/ip
11.2 Test de Failover
- Simular falla en AZ-1a
- Verificar que el trΓ‘fico se redirige a AZ-1b
- Confirmar que RDS failover funciona
11.3 Test de Seguridad
# Nmap scan
nmap -sS -O target-ip
# SSL/TLS test
testssl.sh https://your-domain.com
π FASE 12: OptimizaciΓ³n y Mejores PrΓ‘cticas
12.1 OptimizaciΓ³n de Costos
- Usar Reserved Instances para cargas estables
- Implementar lifecycle policies para EBS
- Configurar CloudWatch Logs retention
12.2 Security Hardening
- Implementar AWS Config rules
- Configurar AWS GuardDuty
- Habilitar CloudTrail
12.3 Backup y Recovery
# Crear backup de RDS
aws rds create-db-snapshot \
--db-instance-identifier secure-database \
--db-snapshot-identifier secure-db-backup-$(date +%Y%m%d)
π Troubleshooting ComΓΊn
Problema: Instancias no pueden acceder a Internet
SoluciΓ³n:
- Verificar que NAT Gateway estΓ© en subred pΓΊblica
- Confirmar rutas en route table privada
- Verificar Security Groups
Problema: ALB no puede comunicarse con instancias
SoluciΓ³n:
- Verificar Security Groups
- Confirmar health checks
- Verificar target group registration
Problema: RDS no accesible
SoluciΓ³n:
- Verificar Security Groups de base de datos
- Confirmar subnet group
- Verificar endpoint DNS
π MΓ©tricas de Γxito
KPIs TΓ©cnicos
- Availability: > 99.9%
- Response Time: < 200ms
- Error Rate: < 0.1%
- Recovery Time: < 5 minutos
MΓ©tricas de Seguridad
- SSL Score: A+ en SSL Labs
- Security Groups: Principio de menor privilegio
- Encryption: 100% en trΓ‘nsito y reposo
π― PrΓ³ximos Pasos
- Implementar CI/CD Pipeline
- Configurar Container Orchestration
- Agregar WAF (Web Application Firewall)
- Implementar Blue/Green Deployment
- Configurar Multi-Region Disaster Recovery
π Recursos Adicionales
π‘ Consejos Finales
- Documenta todo: MantΓ©n un inventario de recursos
- Automatiza: Usa Infrastructure as Code (CloudFormation/Terraform)
- Monitorea continuamente: Implementa observabilidad completa
- Practica DR: Realiza simulacros de disaster recovery
- Mantente actualizado: AWS evoluciona constantemente
Β‘Felicidades! Has completado una arquitectura segura Multi-AZ completa. Esta base sΓ³lida te permitirΓ‘ escalar y agregar nuevas funcionalidades de manera segura y eficiente.
ΒΏTe gustΓ³ este tutorial? Β‘Comparte tu experiencia en los comentarios!
Top comments (0)