Creation of a Highly Available 3 Tier Architecture
Scenario
You have been asked to design and create a highly available 3 Tier architecture for your company’s new web application.
Web Tier
- 2 public subnets
- Minimum of 2 EC2 instances with an OS of your choice (free tier) in an Auto Scaling Group.
- EC2 Web Server Security Group allowing inbound permission from the internet.
- Boot strap static web page or create a custom AMI that already includes the static web page.
- Create a public route table and associate the 2 public subnets.
Application Tier
- 2 private subnets
- Minimum of 2 EC2 instances with an OS of your choice (free tier) in an Auto Scaling Group.
- EC2 Application Server Security Group allowing inbound permission from the Web Server Security Group.
- Associate with private route table.
Note: This is not a true application tier as we don’t have any provided code to run on the EC2 instances.
Database Tier
- Use a free Tier MySql RDS Database.
- The Database Security Group should allow inbound traffic for MySQL from the Application Server Security Group.
- 2 private subnets.
- Associate with private route table.
Note: No need to use Multi-AZ but be sure to document how you would add it
3 TIER ARCHITECTURE
The 3 Tier Architecture is comprised of three (3)distinct layers. A user accesses an application using the Presentation layer (webserver) and this interacts with the Application Layer (Backend) which saves and retrieves information from the Database
Presentation tier: This tier, which is built with HTML5, cascading style sheets (CSS) and JavaScript, is deployed to a computing device through a web browser or a web-based application. The presentation tier communicates with the other tiers through application program interface (API) calls.
Application tier: The application tier, which may also be referred to as the logic tier, is written in a programming language such as Java and contains the business logic that supports the application’s core functions. The underlying application tier can either be hosted on distributed servers in the cloud or on a dedicated in-house server, depending on how much processing power the application requires.
Data tier: The data tier consists of a database and a program for managing read and write access to a database. This tier may also be referred to as the storage tier and can be hosted on-premises or in the cloud. Popular database systems for managing read/write access include MySQL, PostgreSQL, Microsoft SQL Server and MongoDB .
The multi-tier architecture pattern provides a general framework to ensure decoupled and independently scalable application components can be separately developed, managed, and maintained
For more information click the Link
This project covers quite a lot so we’ll walkthrough carefully and build on each step till the end.
WEB TIER
Step 1: Create a VPC
First, let’s specify the range of IPv4 addresses for the VPC in the form of CIDR (Classless Inter-Domain Routing). CIDR : 10.10.0.0/16.
Next, create a VPC, specify a name and input the CIDR.
Step 2: Subnets for the VPC (4 Private and 2 Public subnets)
Choose a subnet name , the availability zone and the IPv4 CIDR block for each subnet. Remember , the CIDR blocks assigned to the subnets must be gotten from the main CIDR block .
Add a new subnet and repeat the process for the other subnets using their respective CIDR blocks
Pub_Web_2a - IPv4 CIDR (10.10.1.0/28) - us-west-2a
Pub_Web_2b - IPv4 CIDR (10.10.2.0/28) - us-west-2b
Private_App_2a - IPv4 CIDR (10.10.3.0/28) - us-west-2a
Private_App_2b - IPv4 CIDR (10.10.4.0/28) - us-west-2b
Private_Db_2a - IPv4 CIDR (10.10.5.0/28) - us-west-2a
Private_Db_2b - IPv4 CIDR (10.10.6.0/28) - us-west-2b
For the Public subnets, select each of them on after the other, click the Actions drop down , edit subnet settings and enable Auto assign IP settings
Step 3: Internet gateway
This allows the EC2 instances within the subnets to connect to the internet. Once the internet gateway is created, attach it to the VPC as seen below
Step 4: Public and Private Route Table
We will create a public route table and associate the public subnets
Click the Create Route Table Tab > choose a name, select the VPC > Create the table. Once that’s done, go to subnet associations, edit the subnet associations, select Pub_Web_2a and Pub_Web_2b and save.
Now we have the route table explicitly associated with the public subnets
Next, edit routes for the Public route table (Public_RT) and add a security group rule that will allow inbound permission through the internet gateway from the internet to our web server
Now we will create a private route table and explicitly associate the private subnets (Private_App_2a and Private_App_2b) as we did for the Public subnets
Step 5: Security group
We are ready to specify the security group rule that will allow our web server control inbound and outbound traffic .
Go to security groups > Create > Select a name , description and the associated VPC. Set the inbound rules for SSH and HTTP to allow access from anywhere
Step 6: Autoscaling group
To set the Autoscaling, we will create a launch template that shows how to configure EC2 instances which are launched by the autoscaling group
Click launch templates > Create launch templates > specify a template name (Web_Tier _template) > select an Amazon machine Image (Amazon Linux 2) > specify Instance type (t2.micro) > create/select keypairs (3TierKey) > create security groups and specify rules (vpc_sg) > Under Advanced Network configurations, enable Auto assign public IP > Input a script to in user data to launch an Apache webserver
#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Successfully completed Web Tier!!!</h1>" > /var/www/html/index.htmlNow we can move ahead to create the autoscaling group.
Select Autoscaling groups > Create > Choose a name (ASG_WebTier) > select the launch template (Web_Tier_template) > Under Network choose VPC and subnets/availability zones . Move on to the next page
Under load balancing (Attach a new load balancer) > Choose Application load balancer > Choose a name (LB-WebTier)> Load balancer scheme (Internet-facing) > Listeners and Routing (Default routing will be forwarded to a new Target group, TG-WebTier . Also specify the group size
The other parameters will be left as default. Click Create Autoscaling Group. The load balancer and Target group will be created along side
Go to Instances page and can see two (2) EC2 instances running
Let’s get the IP addresses and confirm its working on the webpage
It’s up and running !!!
APPLICATION TIER
In this section, we will create a launch template, Autoscaling group and load balancer for the 2 private subnets. First, we would need to create a NAT Gateway in one of the public subnets to allow instances in the private subnets update packages and patches. Then we will update it in the private route table.
Navigate to NAT gateway under VPC and Create NAT gateway.
Choose a subnet you want the NAT gateway to be in. I chose Public-sub-2a. Connectivity Type is Public . Allocate Elastic IP address to the NAT gateway . Click on create NAT gateway.
Note: An Elastic IP is needed because it helps maintain your IP address in the event an instance goes down but maintains communication with the AWS account. It basically allows you to keep advertising AWS instances within your AWS network infrastructure
For the NAT gateway to work, we have to update it in the Private Route table. Go to the Route Tables > Select Private route table (Private-RT) > edit routes > add a security group rule to allow access to the application server
Create launch template
Following the same process from the Web Tier, we will create a launch template using the same Instance type, AMI and Key pair. Creating a new security group is required taking into consideration the 2 private subnets that need to be accessed through the Web server security group . The Source for each protocol would be the Webserver security group
Now that the launch template is created, let’s create an autoscaling group for the private subnets.
Select Autoscaling groups > Create > Choose a name (ASG_AppTier) > select the launch template (App_Tier_template) > Under Network , choose VPC and availability zones/subnets (Private_App_2a and Private_App_2b)
Under load balancing (Attach a new load balancer) > Choose Application load balancer > Choose a name (LB-AppTier)> Load balancer scheme (Internet-facing) > Listeners and Routing (Default routing will be forwarded to a new Target group, TG-AppTier . I used a desired capacity of two (2) instances to be launch
Go to Instances and we have two (2) EC2 instances running in the Private subnet
Now we need to check if we can access the application tier from the web tier. We can do this by running a ping command in the CLI
We need to connect to the EC2 instance in our public subnet to do this.
To change permissions for my key pair 3Tier.pem before connecting to the instance, the following commands are required. This is peculiar to Windows PowerShell
icacls.exe EC2Project.pem /reset
icacls.exe EC2Project.pem /grant:r "$($env:username):(r)"
icacls.exe EC3Project.pem /inheritance:r
Now, run a ping command on the private IPv4 address
I hit a roadblock. Application tier couldn’t be accessed from the web tier. I knew it had to do with my security group rules. I noticed I did not select the web tier security group as Source when creating a security group in the launch template. I made the changes and ran the command again
ping 10.10.3.11
ping 10.10.4.14
Great Job. Packets were transmitted and received after pinging
DATABASE TIER
Let’s start off by creating subnet groups .
Navigate to subnet groups > Create DB subnet group > Select a name > choose VPC > Add subnets . Under Add subnets, select the two (2) availability zones for the private subnets.
Database
Now that the subnets are created, let’s move over to create the database.
- Navigate to Databases and Create database
- Choose a database creation method : Standard create
- Engine options (Engine Type) : My SQL
Choose the Free tier template
Select (DB cluster identifier) : PrivateDB-Instance
Credentials (Master username) : admin
Master password: *********
DB instance class: Burstable classes (db t2.micro)
For Connectivity , choose the VPC . The subnet group is selected by default. Public access will be left on No since we are accessing the database through our application tier
For the VPC security group, we will use an existing security group, in this case Application server security group
We have selected all we need, go on to create the database
Now, we will associate the database with private route table. Let’s go back back to the Route table and create a route table for the Private subnets in the database
Under subnet associations, Edit subnet associations and choose the private subnets (Private_Db_2a and Private_Db_2b)
The multi-AZ option will not be used in this project but it is important for high availability, fault tolerance and disaster recovery for applications. If we have a primary RDS running in an availability zone and standby instance in another availability zone. The primary will synchronously replicate to the standby instance keeping them connected. In the event the primary fails or is inaccessible, then the standby can take over. This is the benefit of Multi-AZ.
Thank you reading!
More content at PlainEnglish.io. Sign up for our free weekly newsletter. Follow us on Twitter, LinkedIn, YouTube, and Discord.
