That Beginner AWS Project You Can Practice With

In this article, we will implement a highly-available and architecture-focused project on AWS, while adhering to best practices.
This is good for you if you want to build or brush up on your skills and knowledge of AWS, are looking to practice or implement a beginner-level project and understand how AWS services are used and interact with each other.

ARCHITECTURE OVERVIEW

This architecture has a presentation layer, an application layer and a database layer. The application layer comprising the application will be hosted on the EC2 instance and will interact with the database layer which is used to host, store and retrieve data. The presentation layer is also hosted on EC2 instances within public subnets. Overall, this architecture covers compute resources, networking and database components as seen in the diagram below:

Let's dive straight into implementation:

IMPLEMENTATION STEPS

1. On the AWS Console, start by creating a VPC. Use the 'VPC and more' option to create other networking components (subnets, route tables, internet and NAT gateway) alongside.

• Create public and private subnets in 2 different Availability Zones, according to our architecture diagram. The image below shows a guide and details to set it up:

This automatically creates the subnets, routes and IG and NAT gateways along with the VPC.

1. Now we need to configure the Internet Gateway and NAT Gateway. For the public subnets' route tables, add a route to the Internet Gateway for 0.0.0.0/0 (Internet access).

• For the private subnet route table, add a route to the NAT Gateway for 0.0.0.0/0. This will provide internet access for instances in private subnets without exposing them directly to the public internet.

1. Create Security Groups for both the public and private subnets. 

• In the public subnet security group, allow inbound traffic on port 22 (SSH) for your IP address and the required application ports (e.g., HTTP, HTTPS).

• In the private subnet security group, allow inbound traffic on the required application ports from the public subnets so they can have access.

1. Launch Auto-Scaling Groups and EC2 Instances.

• To create a highly available structure, we would start by creating 2 Auto-Scaling Groups (ASGs), one each for public and private subnets and would cover both availability zones.

• Create a launch template (which will contain the settings you want your instances in this ASG to all have) if you don't have one.

• After creating the launch template, go back to the ASG to create the first one. Choose the desired template, VPC and select the public subnets we created across both availability zones. Note: You can select more than one subnet/availability zone in an ASG.

• Set a desired capacity (the number of instances you desire your ASG to constantly have) and scaling limits (to determine how your ASG can scale). You can add a load balancer with the ASG if needed. Other details are optional and can be left out for this demo.
• Create the second Auto-Scaling Group for 2 private subnets across the 2 availability zones. After creating both, you should have something like this:

And your instances:

1. Create an RDS Instance in the private subnet

• On the AWS Console, under RDS, start by creating a subnet group and select the remaining private subnets across both availability zones. The subnet group determines which subnets and IP ranges the database would use. The RDS instance should be placed in private subnets to enhance security and isolate them from the public internet.

• After the subnet group is created, create the DB and select a suitable database option. It is better to use Standard Create to set configurations according to your environment's requirements.

• Choose an instance configuration and template according to your needs and input username and password credentials.

• You can choose the 'Do not connect an EC2 compute resource' as that can be done manually from the console, under Instance Actions. It is essential to use the same VPC you used for your EC2, and then select the subnet group you created earlier, which contains the private subnets. We are keeping the database highly secure so do not allow public access.

• For the firewall, choose the security group that allows appropriate access to your database. Your RDS instance should have a security group that allows inbound connections on the database port (e.g., 3306 for MySQL, 5432 for PostgreSQL) from the security group used by your EC2 instances. It also must not be open to the public (0.0.0.0/0). Also, the security group associated with your EC2 instances must allow outbound connections on the database port to the RDS security group.

The architecture is all set and now you can host an application, test and monitor it with ease. 

With this setup, we have ensured security with our public and private subnets, NAT gateway and security groups, high availability with the multiple availability zones, and scalability with our auto-scaling group.

CONCLUSION

We have built a secure, robust and scalable architecture, which is according to best practices and can adapt to changing needs and requirements.

This article serves as an overview, providing implementation steps according to the architecture above, and this can be tweaked for specific application requirements and security aspects.

Follow me for more articles like this and connect with me on LinkedIn!