DEV Community

Radurga Rajendran
Radurga Rajendran

Posted on

Building a Highly Available and Secure Web Application Architecture with VPCs, Load Balancers, and Private Subnets

Overview

1. Single VPC with Public and Private Subnets

In this architecture, we will use a single VPC that consists of both public and private subnets. Each subnet serves different purposes:

Public Subnet:

  • Hosts the website served by EC2 instances.
  • The EC2 instances are managed by an Auto Scaling Group (ASG) to ensure high availability and scalability.
  • A Load Balancer (ALB) distributes incoming traffic across the EC2 instances.

Private Subnet:

  • Hosts an RDS database, which securely stores the data submitted via the website.
  • The EC2 instances in the public subnet interact with the RDS instance in the private subnet via a private IP.
  • The private subnet has a VPC Endpoint to access S3 securely without traversing the public internet.

2. Route 53 Integration for Custom Domain Name

Using AWS Route 53, you can create a DNS record to point to the Load Balancer's DNS name, which allows users to access the website via a custom domain name. This step ensures that your application is accessible from a friendly, branded URL.

3. Secure S3 Access via VPC Endpoint

To securely interact with Amazon S3 from the EC2 instances in the private subnet, we will use an S3 VPC Endpoint. This VPC endpoint ensures that all traffic between the EC2 instances and S3 happens entirely within the AWS network, avoiding the public internet and enhancing security.

4. VPC Peering for Inter-VPC Communication

In some cases, you may want to establish communication between two VPCs for resource sharing or integration. VPC Peering or Transit Gateways are used to connect different VPCs, ensuring resources in one VPC can communicate with resources in another VPC securely.

Step 1: Set Up the VPC and Subnets

  1. Create a VPC:

    • Use the AWS VPC Wizard or AWS Management Console to create a VPC with a CIDR block (e.g., 10.0.0.0/16).

  2. Create Subnets:

  • Public Subnet: Assign a CIDR block like 10.0.1.0/24 to the public subnet. This subnet will host your web servers and load balancer.
  • Private Subnet: Assign a CIDR block like 10.0.2.0/24 to the private subnet, where your RDS instances will reside.
  1. Internet Gateway:
  • Attach an Internet Gateway to the VPC and route traffic from the public subnet to the internet.
  1. Route Table for Public Subnet:
  • Ensure that the public subnet has a route to the Internet Gateway so that traffic can flow in and out.
  1. Route Table for Private Subnet:
  • The private subnet should not have direct internet access. Instead, use a NAT Gateway in the public subnet for outbound internet access from the private subnet, if required.

Step 2: Set Up the Load Balancer (ALB)

  1. Create an Application Load Balancer (ALB):

    • Navigate to the EC2 console, select Load Balancers, and create an Application Load Balancer (ALB).
    • Choose the public subnet to deploy the ALB and configure listeners on port 80 (HTTP) or 443 (HTTPS).
    • Assign security groups to the ALB to allow traffic on these ports.

  2. Create Target Groups:

    • Create target groups for the ALB that point to your EC2 instances or Auto Scaling Group.

  3. Add EC2 Instances to the Target Group:

    • Add EC2 instances from the public subnet to the target group for load balancing.

  4. Configure Auto Scaling Group (ASG):

    • Create an Auto Scaling Group (ASG) with a launch configuration to automatically scale EC2 instances based on traffic load.

Step 3: Set Up Amazon RDS in the Private Subnet

  1. Launch an RDS Instance:

    • In the AWS RDS Console, launch a RDS database instance (e.g., MySQL, PostgreSQL) within the private subnet.
    • Ensure the RDS instance is not publicly accessible, keeping it secure within the VPC.

  2. Connect EC2 to RDS:

    • Ensure that your EC2 instances in the public subnet can connect to the RDS instance in the private subnet using private IPs.

Step 4: Set Up the S3 VPC Endpoint for Secure S3 Access

  1. Create a VPC Endpoint for S3:

    • In the VPC Console, navigate to Endpoints and create a Gateway VPC Endpoint for S3.
    • Select the private subnet and configure the route table to ensure traffic to S3 goes through the VPC endpoint.

  2. Configure Security Group and IAM Role:

    • Ensure your EC2 instances have the necessary IAM roles to access the S3 bucket.
    • Attach security groups to allow outbound traffic to the S3 VPC endpoint.

Step 5: Set Up Route 53 for Custom Domain

  1. Create a Hosted Zone:

    • In the Route 53 Console, create a hosted zone for your domain (e.g., example.com).

  2. Create Record Set for the Load Balancer:

    • Create an A Record or CNAME Record pointing to the DNS name of the ALB (e.g., mywebsite-1234567.elb.amazonaws.com).

Step 6: Set Up VPC Peering (Optional)

  1. Create VPC Peering:
    • If you need to connect two VPCs (e.g., for inter-VPC communication), create a VPC Peering Connection.
  • Update the route tables in both VPCs to ensure traffic can flow between the peered VPCs.
  1. Configure Routes:
    • In both VPCs, add routes to the route tables that allow traffic to flow between the VPCs via the peering connection.

With the use of public and private subnets, Auto Scaling Groups, Application Load Balancers, and VPC Endpoints, We can build a resilient infrastructure. Integrating Route 53 for custom domain management and VPC Peering for inter-VPC communication completes the solution for a fully managed, secure web application architecture on AWS.

Top comments (0)

Read next

dr_venkateshkumar_ profile image

How to Use Condoms Safely

Dr. Venkatesh kumar -

aaravjoshi profile image

5 Essential Java Observability Tools: Boost Application Performance

Aarav Joshi -

devnax profile image

ONCSS

Naxrul Ahmed -

ladetunji profile image

Read later

Ladetunji OSIBANJO -