Setting up a basic two-tier web application in Amazon Web ServicesGarryPasBlockedUnblockFollowFollowingMar 1IntroductionOrganisations large and small are increasingly moving their infrastructure to the cloud.
The cloud brings many benefits; the provisioning of infrastructure can now be done in minutes, where previously it might have taken days or weeks making it easier to “spin up” new systems and scale them vertically and horizontally.
Costs are dramatically reduced, security, disaster recovery capabilities, and durability are greatly improved.
The abstractions of physical hardware and the growing popularity of “infrastructure as code” has led to the rise of the so-called “Devops” movement.
In this document I’ll show how easy it is to create a Virtual Private Cloud (VPC) and setup the infrastructure to support a basic two-tier CRUD (create-read-update-delete) application in Amazon Web Services (AWS), currently the most popular cloud-provider on the market.
For small businesses “lifting and shifing” systems from on-prem[ise] to the cloud should be a fairly straightforward task.
If you are following the steps in the document, you will need an AWS account.
Setting up a VPCA VPC is a virtual network that you deploy resources to.
To create a VPC navigate to “Services” in the AWS Management Console, type “VPC” and select the displayed optionFrom the dashboard, select “Create VPC”.
Give the VPC a meaningful name and enter the CIDR (Classless inter-domain routing) block 10.
0/16 , which will give the VPC a range of 65,536 IP addresses.
Setting up the networkBecause we’d like to setup a two-tier application, we’re going to create separate subnets for our application layer and our database layer, with our application layer reachable from the Internet.
In the VPC management console, select the “Subnets” option from the menu on the left.
Create 3 new subnets, one for the application and two for the database — choose different Availability zones for the database subnets.
Use the CIDR blocks 10.
0/24 for the application subnet, and 10.
0/24 and 10.
0/24 for the database subnets.
Note that each subnet shows 251 IP addresses available for each CIDR block.
Now locate the “Route Tables” option from the menu.
Create a route table for the application subnet, and one to be shared by both database subnets, and then explicitly associate each route table with its subnets (see below).
Now we will create an Internet Gateway to allow us to receive traffic to our web application.
Once this is done add a route to the application Route Table, with the destination 0.
0/0 targeting the Internet Gateway.
SecurityWe can lock down our subnets a bit here using Network Access Control Lists (NACLs), which are a bit like traditional firewalls.
In the VPC management console, locate “Network ACLs”.
Create a new network ACL for the application subnet, associating it with your VPC.
Now find your ACL, and select it, then chose “Subnet Associations”.
Associate it with the application subnet.
By default this will now block all traffic in and out.
We will remove the outbound restrictions (Add a rule to allow all traffic, and specify Destination 0.
0/0), but restrict inbound traffic to ports 80 (HTTP), 443 (HTTPS) and 3389 (RDP).
We will also allow all traffic between our application subnet and our database subnet.
Our NACLs could be refined further, but delving too deeply into this is beyond the scope of this article.
For the database NACL, we allow all traffic on all ports with the application subnet to flow, but everything else is denied.
Again, this could and probably should be much more restrictive in a real production system.
ApplicationNow we have our network infrastructure in place we can setup an EC2 instance to run a web application.
Before we create an EC2 instance, we will create a Network Interface.
In AWS a Network Interface is like a virtual network card that we attach to our VPC, and we will assign it to our EC2 instance in a moment.
From the “Services” menu, type “EC2” and go to the EC2 Management Console.
Select “Network Interfaces” from the menu on the left and click “Create Network Interface”.
From here choose the application subnet.
Now let’s create an EC2 instance.
Select “EC2 dashboard” from the menu, and find the “Launch Instance” button.
We’ll choose Microsoft Windows Server 2019 Base with Containers — ami-0dc1334297ff5b25b and then the t2.
Configure your instance so that it is associated with the application subnet and choose the network interface we just created.
Make sure you download your key pair, you’ll need them to connect to your new instance.
Once you’re happy, create the instance.
It will take a few minutes to spin up.
When it is ready, go to the EC2 dashboard, right click the instance and select “Connect”.
Note the IP address and get the Administrator password using your key pair by clicking “Get Password”.
Also make a note of the Public IP address.
RDP into your instance and setup IIS using the Add Roles and Features Wizard (see below).
Verify you can connect to your instance from the Internet by navigating to http://<public_ip_address> in a browser.
DatabaseNow we’ll setup a database using Amazon Relational Database Services (RDS).
This service allows use to create managed instances of the most popular databases such as PostgreSQL and SQL Server.
For the this example we will create an SQL Server instance.
Before we start we need to create something called a “DB Subnet group”, that allows a database to be associated with a VPC by virtual of its constituent subnets.
Click “Services” and type “RDS” to access the RDS Management Console.
From the menu on the left select “Subnet groups” and click “Create DB Subnet Group”.
Associate it with your VPC and the two database subnets you created.
This fulfils a durability requirement that subnet groups must contain subnets in more than one availability zone.
Now in the menu select “Databases” and click “Create Database”.
Choose “Microsoft SQL Server”.
Fill in the required fields, such as username and password and click “Next”.
In the next screen ensure your VPC and Subnet Group are set correctly and create the database.
AWS will take around 10 minutes to spin up the instance.
Once it is created, find it on the dashboard, click it, and note down the endpoint under “Connectivity & security” (port will be 1433, the default MS SQL port).
Finally to check our EC2 instance can talk to our database, RDP into your application server and run the following Powershell command, using the endpoint you noted down.
com -Port 1433SummaryIn this article I showed an example of how a VPC can be setup in AWS, and resources easily added to it, allowing Devops engineers to quickly spin up infrastructure in the cloud.
AWS comes with all of the security controls that are available on-prem, ensuring no compromises are made in this regard.
Although this example described the infrastructure for a 2-tier application, the concepts extend to n-tiers.
Devops skills are increasingly required in organisations both large and small, especially as they look to leverage the benefits of running their systems in the cloud.
By getting familiar with the tools offered by the large cloud providers, engineers can ensure their skills remain relevant for many years to come.