My Projects

Provisioning and configuring a 3-Tier Architecture VPC in Different Availability Zones in AWS.

Chinedu Ejim's photo
Chinedu Ejim
ยท

8 min read

Provisioning and configuring a 3-Tier Architecture VPC in Different Availability Zones in AWS.

Project Overview

The aim of this project is to create a 3-tier architecture VPC comprising of 1 public subnet and 2 private subnets in two availability zones in AWS and configure it to allow communications to the internet.

This Project is designed to create a 3-tier architecture VPC. The 1st tier is the public subnet which hold resources like the Nat Gateway, Bastion Host and Application Load Balancer. The 2nd tier is a private App subnet which would hold the webservers (EC2 Instances) and the 3rd tier is a private Data subnet which holds the database. We will duplicate these subnets across two Availability zones within the same region for high availability, fault isolation and tolerance.

We will create an Gateways, Route Tables to allow the resources in this VPC to have access to the internet and configure Security Groups.

VPC

Virtual Private Cloud (VPC) is a virtual network environment that provides users with a flexible, scalable, and secure way to deploy and manage their cloud-based infrastructure and applications within the AWS Cloud

Procedures to Setup VPC.

  • Select the region where you want to create the VPC .eg. us-east-1

  • In AWS service catalog, search for VPC. Select VPC when it pops up.

  • Click on create VPC on the VPC window.

  • Give the VPC a name .eg. Ejim VPC.

  • leave it on IPV4 CIDR and then input your preferred IPV4 CIDR Block; in this case 10.0.0.0/16

  • Select no IPv6 and leave Tenancy as Default. Then click on Create VPC. This will successfully create the VPC.

  • Now we need to enable the DNS hostnames in the VPC (This is important as it allows instances within the VPC to have fully qualified domain names assigned to them and so many other importance).

  • Click on Actions and select Edit DNS hostname. Check enable and save.

Internet Gateway

The Internet Gateway serves as a gateway or bridge to the internet, enabling communication between the VPC and the internet. It plays a crucial role in providing internet connectivity to resources deployed in the VPC while ensuring high availability, scalability, and security.

Procedures to an Internet Gateway

  • on the VPC Menu list, Select Internet Gateway and click on create internet gateway.

  • Give a name to the internet gateway, in this case Ejim Internet Gateway. Then click on create internet gateway.

  • Now we need to attach the Internet Gateway to the VPC we just created to allow the VPC to communicate with the internet. To do this,

  • Click on Attach to VPC. Under Available VPCs, select the VPC you created. And click Attach internet gateway.

Subnet Layout

  • Public Subnet: This subnet has internet connectivity to the internet through the internet gateway, allowing the subnet to communicate with resources on the internet and receive inbound traffic from the internet. This subnet hosts crucial gateway resources such as NAT-Gateway, Bastion-Host, Application Load Balancer.

  • Private Subnet: This subnet communicates within the VPC and does not have direct access to the internet. It only accesses internet resources indirectly through a NAT Gateway in a public subnet. Private subnet ensures better security in your environment.

Procedures to Setup Subnets

Both the public and private subnets will be created in 2 Availability Zones for fault isolation, fault tolerance, high availability, etc.

Public subnets

  • Select Subnets from the VPC menu list and click Create subnet.

  • Under VPC ID, select your VPC. Give a name to the subnet .eg. Public SubnetAZ1. And select your Availability Zone, us-east-1a.

  • For the IPV4 CIDR, enter 10.0.0.0/24. and then click Create subnet.

  • Repeat the same steps for the Public Subnet AZ2. Availability Zone us-east-1b. IPV4 CIDR of 10.0.1.0/24. Create subnet.

  • Next we need to enable the auto-assign-public-IP setting for the two subnets, so that instances created in these subnets can automatically be assigned a public IP.

  • For each of the subnets, click Actions and select Edit Subnet Settings and Enable the auto-assign public IPv4 settings and click save.

  • Next is to create a Public Route Table

  • On the VPC Menu list, select Route Table and click create route table.

  • Give a name to the Route Table .eg. Public Route Table, select the VPC we created and click create route table.

  • Next we need to add a public route to the route table. The public route will allow the route table to route traffic to the internet. To do this;

  • Click on Edit routes

  • Under destination, type 0.0.0.0/0 and under target, select Internet Gateway. Then select the Internet Gateway we created. Click save.

  • Now we have to associate the Public Route Table with our Public Subnets.

  • Select subnet association, then click edit subnet association. Select the two public subnets and click save association.

  • The Public Subnets is successfully created and figured.

Private Subnets

  • On the VPC Menu list, select Subnets and click Create subnet.

  • Under VPC ID, select your VPC. Give a name to private subnet .eg. Private App Subnet AZ1. And select your Availability Zone, us-east-1a.

  • For the IPV4 CIDR, enter 10.0.2.0/24. and then click Create subnet.

  • Repeat the same steps for the Private App Subnet AZ2. Availability Zone us-east-1b. IPV4 CIDR of 10.0.3.0/24. Create subnet.

  • Also repeat the steps in creating a private subnet to create the Private Data Subnets AZ1 and AZ2, with CIDR of 10.0.4.0/24 and 10.0.5.0/24 respectively.

  • Note that the main route table is by default Private and by default associated to the Private Subnets. This keeps communication within the Private Subnets secure.

NAT Gateways

A NAT Gateway (Network Address Translation Gateway) serves as a bridge or gateway that allows outbound communication from the Private Subnets in a VPC to the internet, while also preventing inbound traffic from directly reaching the Private Subnets. With The NAT Gateway, the Private Subnets indirectly communicates with the internet without exposing themselves to the internet. This NAT Gateway is always created in the Public Subnet.

Procedures to Setup a NAT Gateway.

We will create two NAT Gateway. one in each of our Public Subnets, and then create two Private Route Tables in each Availability Zones . We will route traffic from the Private Subnets to the NAT Gateway in the Private Route Tables, which then translates the traffic to the internet through the internet Gateway.

  • On the VPC Menu list, select NAT Gateways, and click create NAT Gateway.

  • Give a name to the NAT Gateway .eg. NAT Gateway AZ1

  • Under subnet, select the Public Subnet we created in AZ1, leave the connectivity type as public and click Allocate Elastic IP. (This gives the NAT Gateway a dedicated public IP address.

  • Then click create Nat Gateway.

  • Repeat the same steps to create the 2nd NAT Gateway for the second Availability Zone AZ2.

  • After this, we now need to configure the traffic routing by creating the Private Route Table in Availability zones and Associating the Private Subnets to them respectively.

  • On the VPC menu list, click on Route Tables, then click create route table.

  • Give a name to the route table .eg. Private Route Table AZ1 and select the VPC we created and click create route table.

  • Next we need to add a public route to the route table. The public route will allow the route table to route traffic to the internet. To do this;

  • Click on Edit routes

  • Under destination, type 0.0.0.0/0 and under target, select the NAT Gateway. Then select the NAT Gateway we created in AZ1 and click save.

  • Now we have to associate the Private Route Table with private Subnets in AZ1.

  • Select subnet association, then click edit subnet association. Select the two Private Subnets and click save association.

  • Repeat the steps to configure the Private Route Table in AZ2.

Security Groups Configuration

Security Groups essentially controls inbound and outbound traffic within the VPC. It acts as the first line of defense, allowing you to specify rules that dictate which traffic is allowed. Security group involves setting up rules based on protocols, ports and IP addresses. Carefully configuring security group ensures security in our VPC.

For this project, we will set up three different Security Groups;

  • Application Load Balancer - to allow traffic from the internet on port 80 and 443.

  • SSH - to allow traffic from the internet on port 22. This is mainly for connection to our Bastion Host.

  • Web Server - to allow traffic from the Application Load Balancer security group on ports 80 and 443 and from the SSH security group on port 22.

procedures to Setup Security Groups

Application Load Balancer Security Group

  • On the VPC Menu list, select Security Groups and click Create security group.

  • Give a name and description for the Security .eg. Application Load Balancer SG.

  • Select the VPC to create our security group in. Under Inbound rules, click Add rule.

  • Select HTTP to add rule for port 80, and make the source CIDR 0.0.0.0/0

  • Select HTTPS to add rule for port 443, and make the source CIDR 0.0.0.0./0

  • Click on create security group.

SSH Security Group

  • On the VPC Menu list, select Security Groups and click Create security group.

  • Give a name and description for the Security .eg. SSH SG.

  • Select the VPC to create our security group. Under Inbound rules, click Add rule.

  • Select SSH to add rule for port 22, and make the source CIDR 0.0.0.0/0

  • Click on create security group.

Web Server Security Group

  • On the VPC Menu list, select Security Groups and click Create security group.

  • Give a name and description for the Security .eg. Web ServerSG.

  • Select the VPC to create our security group. Under Inbound rules, click Add rule.

  • Select SSH to add rule for port 22, and make the source SSH SG.

  • Select HTTP to add rule for port 80, and make the source Application Load Balancer SG.

  • Select HTTPS to add rule for port 80, and make the source Application Load Balancer SG.

  • Click on create security group.

A 3-Tier architecture VPC in two Availability zones has successfully been created and configured, ensuring high availability, fault isolation, fault tolerance and security.

AWSvpcInternet GatewaysubnetsNAT Gatewayroute tablesecurity groups
ย