Cloud computing has several fundamental benefits when customers build and deploy software solutions within a cloud environment. In an effort to illustrate both high availability & fault tolerance, I’ll design a three-tier cloud infrastructure by utilizing a handful of AWS Management Console services: Virtual Private Cloud (VPC), Elastic Compute Cloud (EC2), Elastic Load Balancer (ELB), Internet Gateway, Auto Scaling Groups, & Security Groups. My goal is to accurately exhibit a) the ability for a system to remain operational for a long period of time while enduring maintenance or system failures (high availability), and b) withstand the loss of a component within an infrastructure without service interruption (fault tolerance). The above-mentioned services represent various AWS compute, storage & network elements which I’ll use to build a three-tier pattern that ensures scalable application components which can also be independently managed by various AWS users.
Pre-requisites:
Be sure to sure sign up for an AWS account, and utilize the free-tier resources so you’re not incurring any charges after completion of this tutorial.
- Create a Virtual Private Cloud: Sign into your AWS Management Console and make sure you are logged into the nearest AWS Region from where you reside, which is located in the upper-right hand corner. I reside in California, so I am in the US West-1 Region. Under the Services drop-down, select or search for the VPC section. On the next screen, you should see the VPC Dashboard, which includes a list of subsections on the left-hand column, choose Your VPC’s, then click Create VPC. A Virtual Private Cloud (VPC) is a customer’s isolated portion in the AWS cloud environment populated by AWS objects. In the Name Tag field, enter a Name for your VPC (I have named it LUIT-Demo-VPC); in the CIDR block field, enter 10.0.0.0/16. Proceed to click the Create VPC button in the lower right corner.
2. Create an Internet Gateway: You will now be returned to the VPC Dashboard, where you’ll now Click Internet Gateways located on the left-side column. Click the blue Create Internet Gateway button. Specify a Name Tag (I’m using LUIT-DemoIG) in the blank field for the internet gateway, then click the Create button. An internet gateway is a virtual router that connects a VPC to the internet. Upon returning back to the first screen, under the Actions drop-down button, select Attach to VPC. Here, we will attach the VPC we initially created in the prior step. In the VPC field, select & populate the VPC field, then click the Attach button.
3. Create Subnets: Under the VPC Dashboard, select Subnets. The subnet is a way for us to group our resources within the VPC with their IP range. A subnet can be public or private. EC2 instances within a public subnet have public IPs and can directly access the internet while those in the private subnet does not have public IPs and can only access the internet through a NAT gateway.
We will need to create FOUR total subnets for our setup, with the corresponding IP ranges listed below. First, click the blue Create Subnets button. Fill out the appropriate fields with the information below, attaching them to your VPC. Once you complete the first, hit the Create button, repeat the steps for the remaining three subnets.
- demo-public-subnet-1 | CIDR (10.0.1.0/24) | Availability Zone (us-west-1a)
- demo-public-subnet-2 | CIDR (10.0.2.0/24) | Availability Zone (us-west-1b)
- demo-private-subnet-3 | CIDR (10.0.3.0/24) | Availability Zone (us-west-1a)
- demo-private-subnet-4 | CIDR(10.0.4.0/24) | Availability Zone (us-west-1b)
4. Route Tables: A route table specifies how packets are forwarded between the subnets within your VPC, the internet, and your VPN connection. It’s a set of rules that determine how data moves within our network. We’ll need to create two route tables, one each for both the public & private networks. The public route table represent the public subnets that will have direct access to the internet, while the private route table represent which subnet goes through the NAT Gateway, i.e. the private subnet.
Under the VPC Dashboard, select Route Tables, then click on Create Route Table button. Proceed to enter a Name Tag for each route table, labeling each one public/private, while attaching the VPC. Click the Create button, repeat this step for the second route table.
Next, we need to attach the respective subnets we previously created to these two route tables — public subnets to public route table, and so forth. On the Route Table screen, select one of the new route tables by applying a check in the box field, a number of tabs below the screen will appear, click on the Subnet Associations tab, then click on the Edit Subnet Associations button. On the following screen, you’ll select the designated 2 public subnets and click the Save button. I will repeat this same step to designate the private subnets to the private route table.
Traffic requires routing to the internet via the Internet Gateway for our public route table. To do so, Select the public route table and Choose the Routes tab. The rule should be assigned as illustrated below, where you’ll attach the Internet Gateway you created earlier.
5. Create the NAT Gateway: You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. Under the VPC Dashboard, click on NAT Gateways to open up the NAT Gateways page, then click on the Create NAT Gateway button. Be sure to make a note of the Subnet ID for demo-public-subnet-2 to complete this step.
In order for the NAT Gateway to access the internet, we must edit the private route table. Click the Edit Route tables button to be forwarded over to the Route Tables screen. Select the private route table and several tabs should appear below the rout table list. Click on the Routes tab, then click the Edit Routes button. You’ll then proceed to add a route with the 0.0.0.0/0 Destination, and then select your created NAT in the Target field. Click Save Routes upon completion.
6. Create an Elastic Load Balancer (ELB): A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. Using a load balancer increases the availability and fault tolerance of your applications. In regards to the three-tier infrastructure, the front-end tier can only accept traffic from the elastic load balancer which connects directly with the internet gateway while the back-end tier will receive traffic through the internal load balancer.
a. Under the Services drop-down list in the AWS Management Console, go to the EC2 Dashboard, and select Load Balancer on the left-side column. Hit the Create Load Balancer button. Since we are building a three-tier infrastructure, select the Create button located under the Application Load Balancer option.
b. Under the Configure Load Balancer screen, create a Name, choose internet facing as a scheme — the load balancer that we will use to communicate with the frontend and internal for the one we will use for our backend.
c. Under the Security Group, we only need to allow ports that the application needs. I’ll set those to allow HTTP port 80 and/or HTTPS port 443 on our internet facing load balancer.
d. Under the Configure Routing, I’ve configured the Target Group to have the Target type of instance. I’ve named the Target Group as LUITDemo-Frontend-TG to identify it, which is necessary for the creation of the Auto Scaling Group. I’ve skipped the Register Targets steps, and will proceed to review the configuration & hit the Create button.
I’ll repeat these configuration steps from 6a. to 6d. for the internal load balancer assigned to the private subnets, as illustrated below. The one difference from prior under the Security Groups, for the backend we only open the port that the backend runs on (eg: port 3000) and the make such port only open to the security group of the frontend. This will allow only the frontend to have access to that port within our architecture. Also, under the Configure Routing step, we’ve named the Target Group as LUITDemo-Backend-TG.
7. Create an Auto Scaling Group: Per AWS Documentation, Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. Auto Scaling is easy to setup application scaling for multiple resources across multiple services in minutes, allowing you to adjust the EC2 instances’ capacity serving the application to meet demand. This is a more efficient strategy to implement as opposed to manually spinning up & attaching the EC2 instances to the load balancer.
We’ll need to navigate to the Auto Scaling Group page, Click on the Create Auto Scaling Group button.
a. Auto Scaling Group needs to have a common configuration that instances within it MUST have. This common configuration is made possible with the help of the Launch Configuration. A new browser window will appear. In our Launch configuration, under the Choose AMI (Amazon Machine Image), the best practice is to choose the AMI which contains the application and its dependencies bundled together. You can also create your custom AMI in AWS. For the purpose of this demo, I chose CentOS 7.4 12.1 SE.
b. Choose the appropriate instance type. For a demo, I recommend you choose t2.micro (free tier eligible) so that you do not incur charges.
c. Under the Configure details, give the Launch Configuration a name, eg Demo-Frontend-LC. Also, under the Advance Details dropdown, the User data is provided for you to type in a command that is needed to install dependencies and start the application.
d. Again under the security group, we want to only allow the ports that are necessary for our application.
e. Review the Configuration and Click on Create Launch Configuration button. Go ahead and create a new key pair. Ensure you download it before proceeding.
f. Now we have our Launch Configuration, we can finish up with the creating our Auto Scaling Group. Reference to the following images as a template.
g. Under the Configure scaling policies, we want to add one instance when the CPU is greater than or equal to 80% and to scale down when the CPU is less than or equal to 50%. (Note: This option was previously included under an older dashboard version that is no longer available at the time of running this demo)
h. Name your Auto Scaling Group ASGDemo and under Launch configuration use the copy of the EC2 we just created earlier.
i. At the Configure Settings menu, choose your demo VPC and all of the subnets we’ve created.
h. We can now go straight to Review and then Click on the Create Auto Scaling group button. This process is to be completed for both the frontend & the backend tiers, but not the data storage tier.
At this point, I cannot SSH into the EC2 instances in the private subnet. because I haven’t created the bastion host. In the final step of this demo, I will illustrate how to create the bastion host.
8. Bastion Host: The bastion host is just an EC2 instance that sits in the public subnet. Its purpose is to provide access to a private network from an external network (Internet). Because of its exposure to potential attack, a bastion host must minimize the chances of penetration. The best practice is to only allow SSH to this instance from your trusted IP. To create a bastion host, navigate to the EC2 instance page and create an EC2 instance in the demo-public-subnet-1 subnet within our VPC. Also, ensure that it has public IP.
When configuring the Security Group, we also need to allow SSH from our private instances from the Bastion Host.
Conclusion
As a beginner, it was somewhat user-friendly navigating through the AWS Management Console. Although I encountered some errors during configuration (for example, in the Auto Scaling Group step — the new EC2 dashboard omitted some old scaling policy options that threw me off for a bit), I was able to resolve all issues by applying the appropriate changes suggested by the console.
Reminder: At the end of this tutorial, you’ll need to shut down and delete all the resources (EC2 instances, Auto Scaling Group, Elastic Load Balancer, etc.) to avoid incurring charges applied to your AWS account. If you’re a beginner, it’s best you create a billing alarm within the AWS Budgets to receive e-mail notifications just in case your account ever exceeds your desired monetary threshold.
That concludes the design of a three-tier infrastructure within AWS. Thank you for your time!