because “good things come in threes”
Published in · 14 min read · Jun 4, 2022
--
With this article we are going to attempt to create a 3-tier architecture in AWS, one step at a time, to try and best understand its structure.
What is 3-Tier Architecture you may ask?
3-Tier Architecture is used in web-based applications and consists of 3 layers:
- Web Tier or (Client Tier) which takes input and provides output to the user. Think of it as the User Interface (UI) of your 3-Tier Architecture or Public Tier.
- Application Tier or (Logic Tier) is the interface between the Web Tier and Database Tier. It helps the Web Tier and Database Tier communicate with one another.
- Database Tier which is an actual database. Operations such as delete, insert, get, and update item is what is contained here. The only way to access these databases should be by connecting to them from the application layer.
Some advantages of 3-Tier Architecture are:
- High scalability
- Improved security and data integrity
- Easier to maintain and modify
- Offers better performance because you reduce the load on each tier
Objectives:
- Create a VPC with 2 public subnets, 4 private subnets an internet gateway, a NAT gateway, and public/private route-tables
- Create the web tier and application tier with EC2 auto-scaling groups
- Create a free tier MySql RDS database
- Verify the web tier can be accessed from the internet and that it can connect to the application tier
Let's get started…
Step 1: Create a VPC, Internet Gateway, Subnets, and Route Tables, and NAT gateway
Create VPC
Make sure you are in the region you want to create your VPC. Head over to your VPC Management Console. Click Your VPCS then Create VPC…
There is an option to create the VPC, subnets, internet gateway, etc all at once. For practice and better understanding, we will do it step by step.
Select VPC only, give the VPC a name, and give an IPv4 CIDR block. Leave IPv6 off and leave everything else as default. Once all is set click Create VPC…
Once your VPC has been created, filter your new VPC in the Filter By VPC box to make things easier moving forward. It will show you only the results from the new VPC.
Next, let's enable the DNS hostnames in our VPC. Select your VPC, pull down the Actions Bar, and select Edit DNS Hostnames…
Select Enable and Save changes…
Create Internet Gateway
Next, we will create an Internet Gateway for our VPC. In the left panel select Internet Gateway and Create internet gateway
Next give it a name and Click Create internet gateway…
Next, we will attach our new Internet Gateway to our new VPC so the VPC can connect to the internet. Bring down the Actions Bar and select Attach to VPC…
Then select your new VPC and click Attach internet gateway
Create Public Subnets
Next, we will create the public subnets for the first two availability zones. This is where our Web Tier will eventually sit…
Select Subnets from the left panel and click Create subnet…
Select your new VPC, give the subnet a name, select an availability zone and give it an IPv4 CIDR Block and click Create subnet. I will be using 10.0.0.0/24 to start my subnets.
*We will need two public subnets* So, repeat the steps above, name accordingly, and make sure you select a different availability zone, and appropriate CIDR Block. For example, I selected us-east-1b for the second public subnet and used CIDR Block 10.0.1.0/24…
You should now see your two public subnets
Now we must enable the auto-assign IP setting on each public subnet. Select a subnet, bring down the Actions Bar and select Edit subnet settings…
Then Enable the Auto-assign IP settings and Click Save…
Create Public Route Table
Next, we will create a public route table. Now, if you go over to your Route Tables on the left panel, you will see that there is a already a route table created. This is the main route table that was created when you created your VPC and it is private by default. Click Create route table…
Give the route table a name, select your new VPC and Click Create route table
Next, add the public subnets to the public route table. In your route table make sure you are in the Routes tab and select Edit routes
Then select Add route. Set your Destination to 0.0.0.0/0, then set your target to the internet gateway associated with your new VPC and save the changes. This adds a public connection to the route table…
Next, associate the public subnets we created with the public route table. In your new public route table Click the Subnet associations tab, then Edit subnet associations in Explicit subnet associations box…
You should see the two public subnets we created earlier, as they are the only subnets currently in our VPC. Select them both and Save associations…
You will see the public subnets have now been explicitly associated with the public route table, and have been removed from the main route table…
Create Private Subnets
Next thing we will do is create our 4 private subnets. Head back to Subnets in the left panel then click Create subnet. The same process creating the public subnets from earlier will apply. Select the new VPC, name the subnets accordingly, set your CIDR Block correctly for each, and give each pair the availability zones: us-east-1a, us-east-1b.
I will continue my private subnets CIDR Block with 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24, 10.0.5.0/24. Then name them according to the tier they will be used in; eg. private-app-subnet-1&2 will be used in the application tier and private-data-subnet-1&2 for database tier and so on…
Once completed you will have a total of six subnets. You can go confirm back in the Subnets tab on the left panel, then filter results for the new VPC…
Create NAT Gateway
Next we will create a NAT Gateway (Network Address Translation Gateway). We will need a NAT gateway to allow instances in private subnets to connect to the internet and perform tasks such as updates or downloading packages. Our application tier will have EC2 instances in a private subnet.
Click the NAT Gateways tab in the left panel, then click Create NAT gateway…
Give the NAT gateway a name if you’d like, assign one of the public subnets, set the connectivity type to Public, Allocate Elastic IP, then Create NAT gateway
Create Private Route Table
Next lets create our private route table. I saved this for last because I wanted to wait until our NAT gateway was created. You’ll see why in a moment.
Select Route Tables from the left panel and click Create route table. Once you have created the private route table, go to the routes tab and click Edit routes (review previous route table steps if required).
Add route with the destination 0.0.0.0/0, and the Target as the NAT gateway we just created and save changes…
Next we will associate the remaining four private subnets with our new private route table. In your private route table, go to Subnet associations tab and select Edit subnet associations. Select the four private subnets and Save associations…
With that you have just completed you VPC for this project.
Step 2: Create Launch Templates And Auto Scaling Groups For Web and Application Tiers
Web Tier:
Navigate over to your EC2 management console. In the left side panel select Launch Templates then Click Create launch template.
- Give your launch template a name (mine is WebTier-3T-LT)
- Check off Provide guidance to help me set up a template that I can use with EC2 Auto Scaling
Application and OS Images (Amazon Machine Image): select the Amazon Linux 2 Kernel 5.10 AMI 2.0.20220426.0 x86_64 HVM gp2
Instance type select t2.micro (free tier)
Key pair: Select an existing key pair or create a new one to be able to log into our instances. I have used an existing key pair. If you create a new one be sure to download it to your device.
Network settings:
- Subnet: Don’t include in launch template
- Firewall (security group): Create security group and give name (mine is WebTierSG) and description
- Inbound security group rules: Give two rules. One for HTTP (port 80) and one for SSH (port 22) and the Source as 0.0.0.0/0
Advanced network configuration: Select Add network interface, then Enable Auto-assign public IP
Advanced details: Bring down the Advanced details menu, scroll down to User data and paste in the following bootstrap script that will update and install Apache webserver in your instances…
#!/bin/bash
sudo yum update -y
sudo yum install -y httpd
sudo systemctl start httpd
sudo systemct enable httpd
Click Create launch template.
Application Tier:
From your launch templates Click Create launch template. Note: This is not a true application tier as we don’t have any provided code to run on the EC2 instances.
- The same steps will apply as the previous launch templates. I will use the same AMI, instance types and key pair. We will not auto-assign a public IP and no bootstrap script is required.
- Since this will be a private tier, the security group will not open up the HTTP (port 80). We will open SSH (port 22) and set a rule allowing access from our Web Tier security group as the source…
Click Create launch template. You should now see two launch templates…
Auto Scaling Groups
Now that we have our two launch templates for our web and application tiers, we can create our Auto Scaling Groups (ASG).
In the left panel of the EC2 management console, Click Auto Scaling Groups, then Click Create Auto Scaling group
First, we will create our public ASG. Give the ASG a name and associate it with the Web Tier launch template…
Next, select your new VPC and both public subnets for availability zones…
Next enable group metrics with Cloudwatch and leave the rest default…
Next we will specify the group size with a desired capacity of 2, a minimum capacity of 2, and a maximum capacity of 4…
Add Target scaling tracking policy with Average CPU utilization as the Metric type and a Target value of 80…
*we will not need notifications or tags for this project. Click Skip to review and Click Create Auto Scaling group
Now we will create an ASG for the Application Tier launch template. The step will remain the same only you will name it PrivateAppASG, select the two private app subnets, and associate it with your AppTier launch template…
After a few moments, you can go back to you EC2 managemnet console and check that your instances are up and running…
I have named mine accordingly. If you select an instance, click the Networking tab, you can see the associated subnet to help naming convention
Step 3: Create Database Tier
In the AWS Console, search for and select RDS. On the left panel select Subnet groups, then Create DB subnet group…
Give the subnet group a name and short description. Select the VPC you created earlier. Select the two availability zones we used earlier (us-east-1a, us-east-1b), then select the private data subnets and click Create…
Note* in this subnet drop down the name of the subnet is not displayed. You can check your private route table to make sure you select the correct subnets.
Next, select Databases in the left panel and click Create database…
Choose a database creation method: Standard create
Engine options: MySql and select version 8.0.28
Templates: Free tier
Availability and durability: Leave unchecked
Settings: Provide a name for the DB instance identifier and create a Master password. I left the Master username default as admin
Leave Instance configuration and Storage as default.
Connectivity: Leave Network type as IPv4, Select the VPC you created, select the database subnet group you just created, set Public access to No, create a new security group and give it a name, leave AZ set to No preference…
Leave the rest at default and Click Create database…
It will take a few moments to launch the database. Once the database is ready select it. Go to the Connectivity and security tab, then under Security/VPC security groups open the security group you created for the database…
It will take you to the page for the database security group. Select the security group, pull down the actions menu and select Edit inbound rules…
Add a new rule, the type will be Custom TCP, Port range set to 3306, select the AppTier security group, delete the old rule and Save rules. This will allow our AppTier to speak with out DataTier…
This will allow our App Tier to speak with our Data Tier and the completes our 3 tiers!
Step 4: Testing and Verification
First we will test our public EC2 instance by connecting via ssh and checking if the Apache test page is displaying. Move over to the EC2 console and lets place the Public IPv4 address into a browser…
Next, SSH into one of our public instances from our local machine with the following command. Make sure you are running it from the directory where you have saved your key pair…
ssh -A ec2-user@your.ip.add.ress
The -A
option enables the forwarding of the authentication connection. You can now use SSH in to remote machine as if it was your local machine.
Next, we will see if we can SSH into one of our private instances with the following command…
ssh ec2_user@your.ip.add.ress
Run the sudo yum update -y
command in your private instance and put your NAT gateway to work.
If I did not use the -A
option to SSH into my public instance, I would have got the following result trying to SSH into my private instance…
Now lets install MariaDB so that we can access our database from the private instance with the following command…
sudo yum install mariadb
It installed because it was able to reach packages from the internet VIA the NAT gateway.
Now we can connect to the database tier with the following command. You will need the Endpoint & Port under Connectivity & security back at your RDS database, the port number 3306 and don’t forget the Master username which I had left as admin…
mysql -h private-database-3t.cv9iq9042ocd.us-east-1.rds.amazonaws.com -P 3306 -u admin -p
Then enter the password you created for the MySQL database, and you should see the following…
You have just successfully accessed your database tier from a private instance in your application tier. That does it for our 3-tier project (for now)…
This project took some time and patience, and I know that it can be improved for security and effectiveness. It’s not perfect. I am glad I have documented what I did so I can work on improving this process. *Don’t forget to tear this all down since some of these services do build up charges on your account*
If you have anything you’d like to add or have any questions, comments, or tomatoes to throw, please feel free to do so. I love learning some cloud. Thanks for following along and see ya soon.