In this article, I have described step by step process(s) by which to configure a AWS cloud solution for a company having 2 websites with a reverse proxy technology.
Use case: To build a secure infrastructure inside AWS VPC network for a company that uses WordPress CMS for its main business website, and a Tooling Website for their DevOps team. As part of the company’s desire for improved security and performance, a decision has been made to use a reverse proxy technology from NGINX to achieve this. Cost, Security, and Scalability are the major requirements for this project.
In this project, you will gain understanding and configure some AWS resources like VPC, Security groups, Auto Scaling groups, Target groups, Lunch Templates and much more by implementing the architecture diagram below.
This implementation have been divided into five major categories. As such, this tutorial is divided into five series as well to make it simple and easier to follow.
Prerequisites
- An AWS account AWS free tier
- Some Knowledge of Linux command
- A Domain name (Your can get a free domain from Freenom)
Let's Get Started!!!
Reverse Proxy
A reverse proxy is the application that sits in front of back-end applications/servers and forwards client requests to those applications. Reverse proxies help increase scalability, performance, resilience and security. The resources returned to the client appear as if they originated from the web server itself.
NETWORKING
As with constructing a building, the foundation is always very important and that brings us to VPC. From the diagram above, you would see that the VPC is the backbone of the whole infrastructure. By the way, VPC means Virtual Private Cloud.
Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you've defined. This means most AWS resources would need VPC to communicate between each other except for a severless architecture read more
Create a VPC
Login into your AWS account and search for VPC in the search bar
Click on Create VPC.
Note: as shown in the above diagram, every account comes with a default VPC
# Let's create our VPC with these information below
- Set Resources to create to VPC only
- Set Name to any name of your choice
- Set IPv4 CIDR to 10.0.0.0/16
Leave the other options and click on create VPC
Next, we will configure the following are AWS resources that the VPC needs to provide the connectivity that our applications requires - Subnets, Route tables, Internet gateways, Elastic IPs, NAT gateways, Security groups.
Create Subnets
Subnets are simply groupings of IP addresses. A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the internet directly.
In the infrastructure diagram above, we need two public subnets (for the nginx reverse proxy and bastion server) and 4 private subnets (for the web servers and database). My region is set to US East (Northern Virginia) Region and I have decided to use two availabity zones(AZs) for this project namely us-east-1a and us-east-1b.
Still on the VPC dashboard, click on subnets
Click on create subnet
Note: The default the VPC comes other default features like default subnets, internet gateway, route tables etc.
# Create two Public Subnets
Set VPC ID to your newly create VPC
Set Subnet name to your preferred name
Set Availability Zone to us-east-1a
Set IPv4 CIDR block to 10.0.1.0/24
Create the second public subnet in Availability Zone us-east-1b and set IPv4 CIDR block to 10.0.3.0/24 as seen the diagram.
You can configure all 6 subnets on the same page by clicking
add new subnets
before you finally click on thecreate subnet button
.
# Create 4 Private Subnets
Set Private subnet 1 in us-east-1a with IPv4 CIDR block 10.0.2.0/24
Set Private subnet 2 in us-east-1b with IPv4 CIDR block 10.0.4.0/24
Set Private subnet 3 in us-east-1a with IPv4 CIDR block 10.0.5.0/24
Set Private subnet 4 in us-east-1b with IPv4 CIDR block 10.0.6.0/24
Create Internet Gateway
The VPC needs a way to communicate with the internet to allow client communication, to do this we need to configure a internet gateway. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between a VPC and the internet.
Still on the VPC dashboard, click on internet gateways in the left menu and Click on Create Internet gateway
- Enter a name for the internet gateway
- Click on create internet gateway
- Next click on Attach to VPC on the top right of the page or click on Actions
- Select the your VPC and click attach Internet gateway
Create Elastic IP
We need an Elastic IP address as a requirement to configure the NAT gateway. The need would become clearer soon. An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing.
- Click on Elastic Ips in on left menu for the VPC dashboard
- Click on Allocate Elastic IP address
- Enter a tag Name and click on Allocate
Create Nat Gateway
As seen in the infrastructure diagram above, the web servers and the data layer are placed in the private subnets, meaning that they don't have direct access from or to the internet which ensures security. However, under AWS shared responsibility for IaaS, it is our responsibility to manage patches and updates to the AWS resources we provision (for EC2 instance we used). Hence, we need to way for the EC2 instances to communicate with the internet to download patches. A NAT gateway enable us to do just that.
A NAT gateway is a Network Address Translation (NAT) service. it does not allow any inbound traffic from the internet but allows outbound traffic from the private subnets associated with it.
- Click on Nat gateways on left menu of the VPC dashboard
- Click Create NAT gateway
- Enter a Name
- Select a Public Subnet under Subnet
- Connectivity type - Public
- Elastic IP allocation ID - click the dropdown arrow to select the Elastic IP we just created
- Create NAT gateway
Create Route table
A route table contains a set of rules, called routes, that determine where network traffic from the subnets or gateway is directed. For the infrastructure diagram above, we need one private route table for the four private subnets and one public route table for the two public subnets.
Create Private Route Table
- Click route tables on the left menu on the VPC dashboard
- Click create route table
- Enter your preferred Name
- Select your VPC from the dropdown
- Click create route table
Repeat above steps to create the public route table.
Next, we need to associate the public subnet with the public route table and private subnet with the private route table.
Subnet Association with Route Table
- Select the the Public route table
- Click Actions on the top right of the route table dashboard
- Click on Edit Subnet associations
- Select the two public subnets
- Click save associations
Repeat the steps above to associate the private subnets with the private route table. Make sure your select the four private subnets only.
Edit Routes for Route Tables
Now, we need to add the routes for communication in the route tables. For the Public route table, the internet gateway as the target and anywhere IP CIDR would be the destination. For the private route, the Nat gateway would be the target and anywhere IP.
- Select the the Public route table
- Click in Actions on the top right of the route table dashboard
- Click on Edit routes
- Click on Add route
- Destination - 0.0.0.0/0
- Target - internet gateway
- Click save changes
For the Private Route
Repeat the steps above but for Target choose the Nat gateway you created.
Create Security Groups
Next, we will create the security groups needed for the AWS resources. A security group controls the inbound and outbound traffic from or to a AWS resource. To ensure the security of your infrastructure, it is important to allow only appropriate traffic from verified origin read more.
As seen in the infrastructure diagram above, we will need six security groups for :-
External Load Balancer - should accepts all https(port 443) & https(port 80) inbound request from the browser.
- Click on Security Groups on the VPC dashboard
- Click on create security group
- Enter
Name
,description
and select the appropriateVPC
- click on
Add rules
underinbound rules
- Select
HTTP
on port80
andHTTPS
on port443
andIPV4 Anywhere IP (0.0.0.0/0)
a the source - Enter a Name tag
- Click
create security group
Bastion Servers - should allow only SSH. The Bastion server will server as a jump server into any other instance/ server on the infrastructure for maintenance or troubleshooting purpose.
- Add Name, tag and description as above
- Add inbound rule as
SSH
- Click
create security group
Nginx Servers - should accepts only inbound traffic from the external load balancer and bastion server.
- Add Name, tag and description as above
- Add inbound rules
HTTPS
,HTTP
and selectexternal load balancer security group
as the source.
Internal Load Balancer - should allow only inbound rules from the nginx proxy server.
- Add Name, tag and description as above
- Add inbound rules
HTTPS
,HTTP
and selectNginx reserve proxy security group
as the source.
Webservers - should allow inbound rules from the internal load balancer and bastion server.
- Add Name, tag and description as above
- Add inbound rules
HTTPS
,HTTP
and selectInternal load balancer security group
as the source. - Add inbound rule
SSH
and source as bastion security group
Data Layer - should allow inbound rules from the webserver and administrative access for the bastion server.
- Add Name, tag and description as above
- Add inbound rules
MySQL/Aurora
and selectbastion security group
as the source. - Add inbound rules
MySQL/Aurora
and selectwebserver security group
as the source. - Add inbound rules
NFS
and selectwebserver security group
as the source.
Don't worry everything would become clearer as we move on.
Next, we will configure and setup Amazon RDS for database, Amazon EFS for file storage, generate our database encryption key in AWS KMS and generate SSL certificate in AWS Certificate Manager.
As always, I look forward to getting your thoughts on this feature. Please feel free to leave a comment or click on the subscribe button for more updates.
Top comments (0)