Available & Scalable AWS 3-Tier Architecture

Howdy Friends! Thank you so much for joining me today as we go into detail on how to build an AWS three-tier structure. Much like cake, AWS only becomes more fun as you add on more tiers. Today we are baking a three-architecture that will consist of a web tier, application tier, and database tier. This architecture serves the purpose of being modular as each tier can scale independently while also preventing customers from communicating directly with the database through the use of multiple security groups. As we build each tier out we will discuss what they do and how they contribute. Before we get baking, let’s take look at our architecture.

Key Terms:

VPC: an on-demand configurable pool of shared resources allocated within a public cloud environment.

Subnet: A range of IP Addresses you can attach resources to, such as EC2 Instances.

Internet Gateway: AVPC component that allows communication between your VPC and the internet.

NAT Gateway: An AWS service that allows instances in a private subnet to connect to services outside our VPC but does not allow external services to initiate a connection.

Our Ingredients list:

AWS account

Command Line Interface

Our Order:

Make sure you can access the web tier web page from the internet.

From the web, tier verify that you can ping the application tier from the web tier by running the ping command from an EC2 instance in the web tier.

Additional Requirements:

Web Tier

2 public subnets

Minimum of 2 EC2 instances with an OS of your choice (free tier) in an Auto Scaling Group.

EC2 Web Server Security Group allows inbound permission from the internet.

Bootstrap a static web page or create a custom AMI that already includes the static web page.

Create a public route table and associate the 2 public subnets.

Application Tier

2 private subnets

Minimum of 2 EC2 instances with an OS of your choice (free tier) in an Auto Scaling Group.

EC2 Application Server Security Group allows inbound permission from the Web Server Security Group.

Associate with a private route table.
Note: This is not a true application tier as we don’t have any provided code to run on the EC2 instances.

Database Tier

Use a free Tier MySql RDS Database.

The Database Security Group should allow inbound traffic for MySQL from the Application Server Security Group

Our Recipe

Step One: Creating a VPC

Let’s start off by preparing our base. The first thing we need to do is create our VPC (virtual private cloud). To do this we will navigate to the VPC services and click Create VPC.

For our VPC Settings, we will select VPC only, add a tag, select IPv4 CIDR manual input, enter the IPv4 CIDR, and leave Tenancy as default, then click save.

Next, we will go to the Actions drop-down menu on our VPC homepage and select edit VPC settings. Click the checkmark box for Enable DNS hostnames and click save.

Note: The DNS hostnames attribute determines whether instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses.

Step Two: Creating the Subnets

To meet our requirements, we need two public subnets for our web tier, two private subnets for our applications tier, and two private subnets for our database tier. To get started on this we will head to the virtual private cloud dropdown menu and select subnets, on our subnet page we will click create a subnet. Let’s make sure to select the VPC we created.

Once the VPC ID is selected we will enter our subnet settings as shown below.

We will need to repeat this step five additional times and edit the settings as needed for our application and database subnets. If there is a faster method feel free to comment below!

Before continuing, for each subnet, we must enable auto-assign public IPv4 addresses. To do this, select a subnet > Actions > Edit Subnet Settings > select Enable Auto Assign Public IPv4 address > Save.

Don’t forget to save!

Congratulations, with our subnets created we may move on to step three!

Step Three: Internet Gateway

To create our internet gateway we will navigate to the Virtual Private Cloud dropdown menu on the left-hand side and click Internet Gateways. Once on the internet gateway dashboard, we will click Create Internet Gateway.

Once created we will go to the actions dropdown menu and click Attach to VPC and select our VPC from the dropdown menu.

This is an extremely important step

Step Four: Create a NAT Gateway

To create our NAT gateway we will return to the Virtual Private Cloud drop-down menu and select NAT Gateways then select Create NAT Gateway. Under NAT Gateway Settings we will name our NAT, select our Web Subnet from the dropdown menu, select private, and allocate an Elastic IP Address.

Up and Running!

Look at us moving through this!

Step Five: Create a Route Table

We will return back to our Virtual Private Cloud dropdown menu and select Route Tables then click Create Route Table in the top right. Enter the name and make sure to attach the Three Tier VPC.

Everything must be linked back to our VPC

We will now edit the subnet associations by clicking Subnet Associations, edit subnet associations.

We will select our two public web subnets from the list of available subnets and then click Save Associations.

Now let’s add the internet gateway as the target in the Three Tier Public Route Table. Select Route > Edit Route > Add Route > 0.0.0.0/0 > Target: Internet Gateway > Save Changes.

We still have four subnets that need to be associated so we will create an additional routing table. This is similar to the previous step, but we will make sure to select the subnets that are meant to be private.

After saving our settings we can now update the route to NAT Gateway under the edit route settings.

Excellent work! We can now take a breather before starting on the WebTier!

Step Six: Creating a Launch Template

Alright, friends! We are going to start on the top tier of our cake, the web tier. This is the public-facing side of our architecture which handles the user interface and interaction between clients and the business. We will start on our web tier by creating a launch template.

To create our launch template we will navigate to the EC2 Dashboard > Instances > Launch Templates > Create Launch Template.

Enter a name for the launch template, and template version description, and check Auto Scaling Guidance.

Under Aplication and OS Images select Quick Start > Amazon Linux > select any free tier AMI.

For Instance Type, we will select t1.micro.

For Key Pair Login, I will be recycling an old Key Pair. If you do not have a key pair you can select “Create new key pair” and store it for later use.

Under Network Settings we will be creating our security group. We will select Create Security Group, Name our Security Group, and select our VPC.

Under Inbound Security Group Rules, we will create two rules. The first will allow HTTP traffic, the second will allow SSH traffic.

Under Advanced Network Configuration we will need to change Auto-Assign Public IP Info to enabled.

Under Advanced Details, User Data we will enter our Bash Script. This will install, update, and launch Apache. Once complete we can click Create launch Template!

#!/bin/bash
sudo yum update -y
#Updates the operating system
sudo yum install -y httpd
sudo systemctl enable httpd
sudo systemctl start httpd
#Installs, enables, and starts the Apache Web Server
sudo echo "<html><body><h1>Is it time for cake yet?</h1></body></html>" > /var/www/html/index.html
#Can change text to customize the webpage

Step Seven: Creating an Auto Scaling Group

Next, let’s create an auto-scaling group for our template. To initiate this we will click View Template, select our template from the list of Launch Templates, navigate to Launch Template Version Details, select Actions, and Create Auto Scaling Group.

Let’s go ahead and enter a name for our auto-scaling group. Under Launch Template, check that our Three Tier Template is selected. The remaining options can remain the default, click next.

For Network we will need to change the VPC to our Three Tier VPC and select our public subnets from the drop-down menu then click Next.

Under Load Balancing, we will need to select Attach to a new load balancer, Application Load Balancer, and select Internet Facing.

Under Listeners and Routing, we will select Create A Target Group then click Next.

For Group Size we will change the Desired Capacity to Two, Minimum Capacity to Two, and Maximum Capacity to Four then click Next.

We do not need to add notifications so we can click Next. Nor do we need to add Tags, after carefully reviewing all settings, we can click Create Auto Scaling Group! But let’s make sure our instances are up and running. To do this we can click EC2, navigate to our instance, and copy and paste the IPv4 Address into a search engine.

Excellent work friends!

Time to start on our middle tier!

Step Eight: Creating Our Application Tier

We have reached the middle tier of our cake architecture, the application tier! The application tier is often called the logic tier and is where all our collected data is processed. To create our application tier we will need to create another launch template. To do this we will return to the Launch Template menu > Create Launch Template and name our Launch Template. Remember we want to be able to tell the difference between them. Let’s check the Auto Scaling Guidance box again.

For Launch Template we will navigate to Quick Start > Amazon Linux > Free Tier AMI, Instance Type > t1.micro Free Tier eligible, Key Pair Login > select your key pair.

Under Network Settings we will need to create our security group. Under Subnet leave the default “Don’t include in launch template”. Firewall Security >Create Security Group, Security Group Name > ThreeTierPrivateSecurityGroup, Description > Allow Security Group and SSH Access, then select our VPC.

Under Inbound Security Group Rules we will create a rule to allow SSH traffic and change the source to our Security Group by selecting it from the source.

Getting DeJa Vu?

With those items configured, we can click Create Launch Template. With the template created, we can click View Launch Templates and create our Auto Scaling group. Similar to before we will select the launch template ID, navigate to Actions, and Create an Auto Scaling Group.

Let's create a new name for our Auto Scaling Group then check that our application template is selected, then click Next.

From Network we will select our VPC and select our Application Availability Zones then click next.

Under Configured Advanced Options we will select “Attach to a new load balancer” > Application Load Balancer > Enter a load balancer name > Internet Facing.

Under Listeners and Routing, we will select Create A Target Group, then click next.

We will update our group size to two for Desired Capacity, two for Minimum Capacity, and four for Maximum Capacity then click Next until we reach Review.

Once we have reviewed our settings, we can click Create Auto Scaling Group. We can now see both our Auto Scaling Groups!

We can also see that our instances are running.

We are now entering the last leg of our race! Creating our Database.

Step Nine: Creating Our Database Tier

The Database Tier is the final tier of our cake. This is the back-end tier where information processed by the application tier is stored and managed. To create our database, we will navigate to RDS (Relational Database Service) under Services and click Create Database.

We will Select Standard Create > MySQL > Free Tier.

Under Settings, we will update the DB Instance Identifier and create a password for our database.

Under Connectivity, we will select our VPC from the dropdown. Underneath that we will update the VPC Security Group by clicking Create New. Let’s enter a name for our security group, the remaining items can be left as default. We can now create our database!

Once the database is available, we will need to edit our security group rules. Let’s navigate back to the EC2 Instance Dashboard > Network & Security > Security Groups and select our Three Tier Database Security Group. After selecting the security group click the actions drop-down menu and select edit inbound rules.

We are going to replace the current rule by deleting it and adding a new rule, changing the type to MYSQL/Aurora, keeping the source as custom, searching for our database security group, and then clicking Save Rules.

We have finished building our tiers! But now we need to make sure they are functioning properly and communicating. We will navigate back to the EC2 Dashboard and select an instance on the public subnet and copy and paste the public IP Address.

Our Public IP is working! But we need to make sure our Application Tier is functioning too. We will need to select one of our public instances from our drop-down menu and click Connect.

Navigate to SSH Client.

We will now open up a command line and ssh into the instance. Once in the instance, we will ping our private instance using the ping command

If the ping is successful it will return a response similar to below. This means our tiers are able to communicate which also means we have completed our three-tier cake!

Awesome job! After all this hard work you definitely deserve a cake break! Drop a comment if you would like to see a specific demonstration!

More content at PlainEnglish.io.

Sign up for our free weekly newsletter. Follow us on Twitter, LinkedIn, YouTube, and Discord.

Interested in scaling your software startup? Check out Circuit.