Mastering AWS: Unveiling the Power of 3-Tier Architecture
I am a backend developer from Indonesia, focused on php, and some cloud platform administrator
AWS 3-Tier Architecture is an excellent choice for developers who aim to run their systems efficiently while minimizing costs. This architecture is structured into three distinct layers: the Presentation Tier, the Application Tier, and the Database Tier.
Presentation Tier
The Presentation Tier is the user interface layer where users interact with your application. It utilizes services such as AWS S3 for storage, CloudFront for content delivery, and Cognito for user authentication. To enhance security, it's advisable to implement additional layers like AWS WAF (Web Application Firewall) and AWS Shield to protect against common web exploits and DDoS attacks.
Application Tier
The Application Tier is responsible for processing business logic and handling interactions. This tier can leverage services like AWS API Gateway for creating and managing APIs, EC2 for scalable computing capacity, Lambda for serverless computing, and ECS for container orchestration. Security Groups should be configured in this layer to control inbound and outbound traffic to your application resources.
Database Tier
The Database Tier is where your application's data is stored and managed. Services such as RDS (Relational Database Service), Aurora (a MySQL and PostgreSQL-compatible relational database), and DynamoDB (a NoSQL database) are commonly used. This tier requires robust encryption to ensure secure data storage and should include backup and recovery solutions to safeguard against data loss.
Initiating VPC
Initiating a VPC (Virtual Private Cloud) involves creating a network environment with both private and public subnets, enabling DNS hostname and resolution. Once the VPC is successfully created, it provides a secure and isolated environment for your AWS resources.
After success create VPC it’s look like this
EC2 Setup
Create 1 EC2 in private subnet, add some security group rules. Create 1 EC2 more in public subnet.
Using EC2 Private endpoint
Setting up EC2 instances involves deploying one instance in a private subnet and another in a public subnet, with appropriate security group rules to manage access. For instances in a private subnet, a private endpoint is necessary to facilitate direct connections, as these instances cannot be accessed directly from the internet.
Let’s try these scenario, you will create 1 or more VirtualHost on EC2 which in Private Subnet.
Load Balancer
A Load Balancer is essential for distributing incoming traffic across multiple EC2 instances, especially those in private subnets that are not directly accessible from the public internet. The load balancer should be configured as internet-facing with an IPv4 address type. It uses a Target Group to manage and scale the instances, ensuring efficient traffic routing and load distribution.
Here you must check when creating Application Load Balancer:
Schema : internet-facing
Load balancer IP address type: IPv4
in section Network Mapping choose your VPC and select Public Subnet in every Availability Zone(AZ), also Section Security Groups choose your security group, then you will meet section Target Group see below.
Target Group
This section will organize your instances into a target group, and any scaling configurations will apply to this Target Group. Be sure to select Target Type as instance, protocol as http 80, IP Address Type as IPv4, and protocol as HTTP1.
Register Target
This section you will select EC2 instance with port selected as a target, you can change it later.
after create Target Group back to section Listener and Routing choose that Target Group.
now copy DNS name from ALB
Go to Route 53 and create A record using Alias and select Application Load Balancer and search dns copied
Create VirtualHost
Connect your private instance using EC2 Instance Connect Endpoint.
Now let’s create a VirtualHost in the EC2 private subnet. I've created a script for creating a VirtualHost. Execute chmod +x virtualhost.sh, then run ./virtualhost.sh name-domain. That simple VirtualHost will be created.
#!/bin/bash
# Check if the script is run as root
if [ "$EUID" -ne 0 ]; then
echo "Please run this script as root or with sudo."
exit 1
fi
# Check if site name is provided
if [ -z "$1" ]; then
echo "Usage: $0 <site_name>"
echo "Example: $0 unstable.my.id"
exit 1
fi
SITE_NAME=$1
SITES_AVAILABLE="/etc/nginx/sites-available/$SITE_NAME"
SITES_ENABLED="/etc/nginx/sites-enabled/$SITE_NAME"
WEB_ROOT="/var/www/$SITE_NAME/html"
# Create the web directory
mkdir -p "$WEB_ROOT"
chown -R $SUDO_USER:$SUDO_USER "$WEB_ROOT"
chmod -R 755 /var/www
# Create a simple index.html file
echo "<html><head><title>Welcome to $SITE_NAME</title></head><body><h1>Success! The $SITE_NAME virtual host is working!</h1></body></html>" > "$WEB_ROOT/index.html"
# Create the Nginx configuration file
cat > "$SITES_AVAILABLE" <<EOL
server {
listen 80;
listen [::]:80;
server_name $SITE_NAME www.$SITE_NAME;
# logging
access_log /var/log/nginx/$SITE_NAME-access.log combined buffer=512k flush=1m;
error_log /var/log/nginx/$SITE_NAME-error.log warn;
location / {
root $WEB_ROOT;
index index.html index.htm;
}
# Uncomment the following for SSL (HTTPS) support
# listen 443 ssl;
# ssl_certificate /etc/letsencrypt/live/$SITE_NAME/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/$SITE_NAME/privkey.pem;
}
EOL
# Enable the site
ln -s "$SITES_AVAILABLE" "$SITES_ENABLED"
# Test Nginx configuration and restart
nginx -t
if [ $? -eq 0 ]; then
systemctl restart nginx
echo "Virtual host for $SITE_NAME has been created and enabled."
else
echo "Nginx configuration test failed. Please check your configuration."
exit 1
fi
# Prompt for SSL setup
read -p "Do you want to set up SSL for $SITE_NAME? (y/n) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
echo "Installing Certbot for SSL setup..."
apt-get update
apt-get install -y certbot python3-certbot-nginx
certbot --nginx -d $SITE_NAME -d www.$SITE_NAME
systemctl restart nginx
echo "SSL has been set up for $SITE_NAME."
fi
echo "Virtual host setup for $SITE_NAME is complete!"
Now our domain has successfully pointed to the EC2 in the private subnet go type your domain in url.
Thank you for reading my article. I hope you found it helpful!. Have a trouble? you can comment below.
