Building a AWS 3-Tier Architecture

Patrick René
11 min readJan 21, 2023

--

What is a A Three-tier architecture?
A three-tier architecture is a logical method of separating your client layer, application layer and data layer. Data access spread across more than one server. Also know as a multi-tier architecture, a three-tier architecture can be difficult to design and build; however, the benefit out weighs the challenge. Some keys advantages of running a three-tiered architecture; scalability, fault-tolerance and flexibility. You can make changes to components in the tier with no impact to the other tiers, better performance . Multi-tier architecture adds an extra layer of security by separating user system interface, application logic as you traverse each tier you are protected by the use of firewalls(Security Groups).

Scenario:
You have been asked to design and create a highly available 3 Tier architecture for your company’s new web application.

Requirements for the Three-Tier architecture:
VPC
Six Subnets; two public, four private
Internet gateway
Two auto scaling groups
Public route table
Private route table
Web server security group
EC2 application server security group
Database security group

Prerequisites:

  • Access to AWS Console
  • Understand of AWS services; VPCs and its components, Storage groups(firewall rules), EC2 auto scaling groups and Load balancers
  • The ability to troubleshoot issues

Tier-1

  1. Create a Virtual Private Cloud(VPC)
    Creating a VPC means we are carving a piece of the AWS cloud for our environment. The VPC is the foundation to your AWS environment
  • From the VPC Dashboard, choose Launch VPC Wizard
  • Resource to create — VPC only
  • Name tag — my3tiervpc
  • CIDR Block — 10.10.0.0/16
  • Tenancy — Default

Select -> Create VPC

Next we are going to create the Internet gateway.
The internet gateway is the connector from the AWS environment to the internet.

  • Name tag — my3TierIGW

Select — -> Create internet gateway

Next, we will attach the internet gateway to the VPC (my3tiervpc) we created earlier.

Create subnets
A subnet is a range of IP addresses in your VPC
We are going to create 6 subnets 2 public 4 private; Thats two for each tier and three for each availability zone

From the VPC dashboard select subnets
Choose Create subnet

VPC
VPC ID — my3tiervpc

Subnet Settings — We are going to create six entries with alternating availability zones for public and private subnets

Subnet name — PublicSubnet1
Availability Zone — us-east-1a
IPV4 CIDR block — 10.10.1.0/16

Subnet name — PublicSubnet2
Availability Zone — us-east-1b
IPV4 CIDR block — 10.10.2.0/16

Subnet name — PrivateSubnet1
Availability Zone — us-east-1a
IPV4 CIDR block — 10.10.3.0/16

Subnet name — PrivateSubnet1
Availability Zone — us-east-1b
IPV4 CIDR block — 10.10.4.0/16

Subnet name — PrivateSubnet1
Availability Zone — us-east-1a
IPV4 CIDR block — 10.10.5.0/16

Subnet name — PrivateSubnet1
Availability Zone — us-east-1b
IPV4 CIDR block — 10.10.6.0/16

Click ‘Create subnet’

The subnets were successfully created!

NAT Gateway
A NAT gateway allows EC2 instances to establish outbound connections to resources on the internet without allowing inbound connections to the EC2 instance

From the VPC dashboard click ‘NAT gateways’ then click ‘Create NAT gateway’

NAT gateway settings
Name — Public-NAT-gw
Subnet — PublicSubnet1
Connectivity type — Public
Elastic IP allocation ID — ‘Click ‘Allocate Elastic IP’

Finally click ‘Create NAT gateway’

From the screenshot below the NAT gateway was created successfully!

NAT gateway list

Route Tables
A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed

From the VPC dashboard click ‘Route Tables’ the click ‘Create route table’

We are going to create two route tables a public and private route, provide names for each route table and associate our VPC (my3tiervpc)

Route table settings
Name — Public-RT
VPC — my3tiervpc

Name — Private-RT
VPC — my3tiervpc

Click ‘Create route table’

The route tables were created successfully!

Now we need to edit the Public-RT route to ensure we can receive internet traffic. Select the route and click ‘edit routes’
Click ‘Add routes’ and add 0.0.0.0/0 as a destination and select our internet gateway as our target.

Lastly, we are going to associate the two public subnets to the public route table. Select the subnet association tab in the route and click ‘edit subnet associations’

Select the two public subnets and click ‘Save associations’

The first tier of our three-tier architecture is complete.

Tier 2 — Creating the Web Tier

Security Groups
A security group acts as a virtual firewall for EC2 instances to control incoming and outgoing traffic.

We are going to create a security group for our web server.

From the VPC dashboard choose Security Groups
Choose Create security group
Security Group Name
— MyWebServer-SG
Description — Allow WebServer access
VPC — my3tiervpc
Inbound rules
SSH
HTTP
HTTPS
Source — Anywhere-IPv4
Outbound rules -
Type —
All traffic
Destination — Anywhere-IPV4

Create Launch Templates
A launch template specifies instance configuration information. It includes the ID of the Amazon Machine Image(AMI), the instance type, a key pair, security groups, and other parameters used to launch EC2 instances.

We are creating launch templates for the web tier and application tiers

From the EC2 dashboard under Instances, choose Launch Templates
Choose Create Launch Template:

Launch Template Name — My3Tier_LaunchTemplate
Template version description — My3TierWebServer
Auto Scaling guidance — Select check box
Application and OS Images (Amazon Machine Image) —
Quick Start →Amazon Linux → Select the AMI and architecture of your choice.

Select our instance type and key pair.

Instance Type — T2 Micro free tier eligible
Key Pair — Choose an existing key pair or create a new one

Network Settings:
Firewall(Security groups) — ‘Select existing security group’
(MyWebServer-SG)
Under Advanced network configuration
Add network interface
Auto-assign public IP — Enable

Next we can leave the storage volumes default. In this section we are going to paste our bootstrap script in the User data field.
Bootstrap is a method of loading a program into a computer by means of a few initial instructions in the first boot of the instance.

Expand Advanced details

This is the bootstrap we are using

#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
EC2AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)
echo '<center><h1>This Amazon EC2 instance is located in Availability Zone: AZID </h1></center>' > /var/www/html/index.txt
sed "s/AZID/$EC2AZ/" /var/www/html/index.txt > /var/www/html/index.html

#Install and configure firewalld
sudo yum install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo systemctl status firewalld
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-all --zone=public

From the summary page click ‘Create launch template’

The Launch Template has been successfully created!

Auto Scaling Group
An Auto Scaling group contains a collection of EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management. An Auto Scaling group also lets you use Amazon EC2 Auto Scaling features such as health check replacements and scaling policies.

We are creating two auto scaling groups: ApplicationServer-ASG & my3Tier-WebServer-ASG

From the EC2 dashboard
select ‘Auto Scaling’‘Auto Scaling Groups’‘Create an Auto Scaling Group’

On the Choose launch template or configuration page populate the following fields:
Auto Scaling group name
Launch Template
Click Next

VPC — my3tiervpc
Availability Zones and subnets — us-east-1a | PublicSubnet1 & us-east-1b | PublicSubnet2
Click ‘Next’

We are going to create the load balancers for the Application tier and web server tier.

Load Balancing — Select ‘Attach to a new load balancer’
Attach to a new load balancer — Select ‘Application Load Balancer’
Load balancer name — ApplicationServer-LoadBalancer
Load balancer scheme — Internal

Enable Health checks ELB and Monitoring using CloudWatch

We will set the Group size, which is the minimum and maximum capacity of our EC2 auto scaling group.

We can skip adding notifications and adding tags.

Click ‘Create Auto Scaling group’

Now let’s verify we can access our Web Tier instances, this confirms our web tier is working as designed. Copy the load balancer dns name and paste it in your browser

http://mywebserverloadbalancer-2033331589.us-east-1.elb.amazonaws.com/

Tier — 3

Data
Our third and final tier, is the data tier. This is where we will create the database Storage Group and MYSQL database and where our data is stored and accessed.

Before we create out database we are going to create a security group for our MYSQL database.
Security group name — MySQL-RDS
Description — Allow RDS
VPC — my3tiervpc
Inbound rules —
Type — Select ‘MySQL/Aurora’ it will automatically populate the protocol and port range fields
Port range 3306
Source custom — Select the ‘Application Storage group’

From the AWS console search for RDS — → from the Amazon RDS dashboard — -> Click ‘Create database’
Select → Standard create → Amazon Aurora → Edition — ->Amazon Aurora MYSQL-Compatible Edition — →Available Versions — ->Choose the latest MYSQL version → Template — -> Production

In this section we are going to populate the DB cluster identifier, Credentials settings, create a master password, Instance configuration select ‘Memory optimized classes (includes r classes)

Connectivity
Our database will be connected to the VPC, we won’t connect to an EC2 instance. And we are not enabling public access for the database. Will select the data tier security group we created before the database.

We are going to select ‘Password authentication’ as our database authentication method and enable ‘performance insights’.

Click ‘Create database’

The database creation will take several minutes, if successful you will see the following output

Click ‘View connection details’ to view the username and password for our database. We will need it to test our connection to the database

Testing

We’ve already tested accessing our Presentation Tier successfully. We were able to access our web page. Now we will test connecting to our Application Tier and our Database Tier.

We are going to connect to our app tier EC2 instances on the private subnet; once connected we are going to execute the following commands:

sudo yum install mariadb

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00:00
amzn2extra-docker | 3.0 kB 00:00:00
amzn2extra-kernel-5.10 | 3.0 kB 00:00:00
(1/7): amzn2-core/2/x86_64/group_gz | 2.5 kB 00:00:00
(2/7): amzn2-core/2/x86_64/updateinfo | 539 kB 00:00:00
(3/7): amzn2extra-docker/2/x86_64/updateinfo | 8.0 kB 00:00:00
(4/7): amzn2extra-docker/2/x86_64/primary_db | 99 kB 00:00:00
(5/7): amzn2extra-kernel-5.10/2/x86_64/updateinfo | 22 kB 00:00:00
(6/7): amzn2extra-kernel-5.10/2/x86_64/primary_db | 14 MB 00:00:00
(7/7): amzn2-core/2/x86_64/primary_db | 68 MB 00:00:01
Resolving Dependencies
--> Running transaction check
---> Package mariadb.x86_64 1:5.5.68-1.amzn2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================
Package Arch Version Repository Size
==============================================================================================================
Installing:
mariadb x86_64 1:5.5.68-1.amzn2 amzn2-core 8.8 M

Transaction Summary
==============================================================================================================
Install 1 Package

Total download size: 8.8 M
Installed size: 49 M
Is this ok [y/d/N]: y
Downloading packages:
mariadb-5.5.68-1.amzn2.x86_64.rpm | 8.8 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:mariadb-5.5.68-1.amzn2.x86_64 1/1
Verifying : 1:mariadb-5.5.68-1.amzn2.x86_64 1/1

Installed:
mariadb.x86_64 1:5.5.68-1.amzn2

Complete!

The following output tells us we are able to connect to securely the database successfully!

The connection information for a database instance includes its endpoint, port, and database username:

-h (host) The db endpoint dns name
-P(Port) For mariadb we use port 3306, if it were Microsoft SQL Server the port would be 1433
-U (User) Our admin account for the database.

mysql -h mydatabase.cluster-ro-caoyjavq6zyz.us-east-1.rds.amazonaws.com -P 3306 -u admin -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.7.12 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Thank you for following along.

--

--

Patrick René
Patrick René

Written by Patrick René

NAS/SAN Engineer | DevOps Engineer

No responses yet