🏗 Architecture Overview
The project implements a classic three-tier architecture:
Presentation Layer (Frontend)
EC2 instances in private subnets
Behind an Internet-facing Application Load Balancer
Dockerized frontend container
Logic Layer (Backend)
EC2 instances in private subnets
Behind an Internal Load Balancer
Dockerized backend container
Data Layer (Database)
Amazon RDS (Multi-AZ enabled)
Private subnet deployment
Credentials stored securely in AWS Secrets Manager
Additional components:
Bastion Host for secure SSH access
NAT Gateway for outbound internet from private subnets
Auto Scaling Groups across multiple Availability Zones
Strict Security Groups & IAM Roles
🌐 High-Level Traffic Flow
Internet
↓
Internet Gateway
↓
External ALB (Port 80)
↓
Frontend EC2 (Docker container - Port 3000)
↓
Internal ALB
↓
Backend EC2 (Docker container - Port 8080)
↓
RDS (Multi-AZ)
This ensures:
High availability
Fault tolerance
Secure network segmentation
Scalability under load
🔐 Security Architecture
Security was a major focus in this implementation.
🔹 Private Subnets
Frontend, Backend, and RDS are not publicly accessible.
🔹 Bastion Host
Used as a secure jump server to SSH into private instances.
🔹 NAT Gateway
Allows private instances to:
Pull Docker images
Install updates
Access AWS services
Without exposing them to inbound traffic.
🔹 Security Groups
ALB allows HTTP from internet
Frontend allows traffic only from ALB
Backend allows traffic only from internal ALB
Database allows traffic only from backend SG
🔹 IAM Roles
EC2 instances have least-privilege access for:
CloudWatch
Session Manager
Secrets Manager
📦 Docker Deployment on EC2
Frontend and Backend applications are:
Built as Docker images
Pushed to Docker Hub
Pulled automatically in EC2 via user-data scripts
Started during instance launch
This ensures:
Consistent deployments
Easy scaling via ASG
Reproducible environments
📈 Auto Scaling & Load Balancing
External ALB
Internet-facing
Health checks on frontend instances
Routes traffic dynamically
Internal ALB
Handles communication between frontend and backend
Auto Scaling Groups
Multi-AZ deployment
Configured min, max, desired capacity
Scales based on CPU utilization
🗄 Database Configuration
RDS setup includes:
Multi-AZ deployment
Custom DB subnet group
Parameter group configuration
Engine version specification
Secrets stored in AWS Secrets Manager
During provisioning, an issue occurred due to PostgreSQL parameter incompatibility, which was resolved by adjusting the engine version — a real-world debugging scenario.
Top comments (0)