Multi-Tier Architecture in AWS with Best Practices.

 Hi! This is my very first blog on Amazon Web Services, the team creating an ocean of services, to whose beach party; innovation, business transformation and sustainability in technology and many more are most welcomed.

I am currently working as an AWS Cloud Engineer and I am glad to say that building business workloads on AWS is one of my passion.

Fundamentals are very important for any project to be successful. So, I thought I will take a basic yet very important topic and share my knowledge and opinions about it. Grab a coffee and sit back, you are about to take a multi-informational tour.

Multi-Tier Architecture in AWS with Best Practices.

In multi-tier architecture, there can be,

  1. Two layers comprising of Application tier and Database tier.
  2. Three layers comprising of Web tier, Application tier and Database tier.
  3. Four layers comprising of Web Tier, Application Tier, Proxy Tier and  Database Tier.


I will be talking about the components, end-to-end function and how fault tolerance can be achieved in the multi-tier architecture containing two layers that is Application tier and Database tier as shown  in the above architecture diagram.

Components of the architecture
  1. Amazon Route 53 routes end-user requests, resolving Domain Name Service (DNS) queries. 
  2. Amazon CloudFront caches content and accelerates delivery, leveraging global points of presence. Hence satisfying customers with good user experience and enhancing business value with low latency.
  3. CloudFront also handles SSL ending, integrating with Amazon Certificate Manager, which automatically creates and renews SSL certificates with no cost.
  4. AWS Web Application Firewall integration with CloudFront mitigates OWASP top 10 application vulnerabilities.
  5. The Application Load Balancer routes HTTP/S requests to EC2 instances running on private subnets. 
  6. Amazon EC2 is a virtual machine that hosts the application.
  7. Amazon EC2 Auto Scaling manages the instance launch based on metrics such as CPU and memory. This checks off the requirement of resiliency of the workload.
  8. Amazon Aurora with Multi-AZ feature enables high-availability. Application connects via DNS endpoint that handles failover automatically in case of failure. The Aurora reader endpoint handles read operations, offloading Aurora writer instance load.
  9. Amazon ElastiCache caches session data. It can be integrated with the database to ease its load.
  10. NAT gateway is used for the instances present in the private subnet to connect to the internet. The request can only and should be initiated by the instance itself.
  11. Internet Gateway is a gateway for public communication between the public resources in AWS VPC and the external world.
  12. Amazon Cloudwatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it using automated dashboards so you can get a unified view of your AWS resources.
  13. AWS IAM enables authentication and authorization to access the AWS resources.
End-to-End workflow
  1. The end users access the application hosted on EC2 using the mapped domain.
  2. Route 53 resolves the DNS query, in this case the domain is mapped to the cloudfront distribution.
  3. AWS WAF monitors the request and verifies against web ACLs.
  4. If the data is available in cache, cloudfront provides the requested data.
  5. If not, the traffic is routed to application load balancer(ALB).
  6. The ALB routes and distributes the traffic to the application instance present in target groups as per the listener rules.
  7. The application queries the requested data from the backend databases and send the response back to the end user in the same route.
  8. NAT gateways are used to get updates for OS patching of private instances from the internet. It uses it's public IP to perform network address translation and through internet gateway to can access the internet for private instances.
Best Practices
  1. Distribute the workload between different availability zones for high availability. As shown the figure, the workload has been mirrored in two AZs. Therefore if one AZ is down, the other will be up and running without impacting the workflow.
  2. Use EC2 auto-scaling group, to scale up or scale down the application instances according to the specific metrices in Amazon Cloudwatch or as per the scaling policies. This ensures resiliency.
  3. Use AWS certificate manager to terminate SSL certificate on ALB to enable encryption of traffic between the client and the server.
  4. Use AWS WAF, which acts as a firewall to monitor and to protect against potential threats imposed on OSI layer 7, application layer.
  5. Use cloudfront for leveraging potential content delivery networking and additional business value.
  6. Use Amazon cloudwatch for monitoring the resources using metrices. Create alarms to notify certain issues using SNS and rules for automatic remediation. Create log groups for the log records.
  7. Create VPC flow logs and store it in S3. It can be further used for auditing.
  8. Enable ALB access logs.
  9. Provide least privileges to the IAM users accordingly.
  10. Take backups of the application and the database using AWS Backup service and provide an cost effective lifecycle for backups in the backup rule.
  11. Attach security groups with appropriate rules to private instances to avoid potential threats and unauthorized access.
Conclusion

This blog gives an overview on,
  1. Multi-tier architecture in AWS.
  2. General components leveraged in the architecture.
  3. Workflow.
  4. Best Practices that should be implemented to achieve efficient, secure and reliable infrastructure to run the business workload.
Hope you liked it!

Comments

Post a Comment

Popular posts from this blog

Multi-VPC connectivity, AWS network infrastructure.(Part-1)

Image
  Overview Amazon Web Services (AWS) customers often rely on hundreds of accounts and virtual private clouds (VPCs) to segment their workloads and expand their footprint. When a VPC needs to communicate with another VPC present in the same or different region/account, there should be a connection established. As the number of VPCs inc reases in an account or in a region due to the expansion of workload, the communication between those VPCs and the VPCs present in different accounts or regions becomes cumbersome. There could be various use cases and problems to solve other than mentioned above. AWS provides us choices that we can opt, which best suits our network infrastructure requirements. VPC to VPC connectivity VPC Peering AWS VPC peering is a point-to-point connectivity between VPCs. No transitive connections can be leveraged. Maximum of 125 peering connections per VPC. For hybrid connectivity i.e. peering connection between AWS VPC and on-premises network, VPN or Direct conne...
Read more

Multi-VPC connectivity, AWS network infrastructure.(Part-2)

Image
 Hi! This blog is the continuation of part-1, which is about the multi-VPC networking infrastructure. If you have not checked it out, click on the link below  Multi-VPC connectivity, AWS network infrastructure.(Part-1) :  https://cloudcentralblogs.blogspot.com/2022/05/multi-vpc-connectivity-aws-network.html So lets get into it, shall we? VPC to VPC connectivity AWS PrivateLink Source of above picture: AWS documentation This service can be used to route traffic between different VPCs and access AWS services on a private network using VPC endpoint, as shown in the above figure. The consumer and the service are not required to be in the same VPC. If the VPC is different, the consumer and service provider VPCs can have overlapping IP address ranges. So this a good option when client and servers in the two VPCs have overlapping IP addresses, as the endpoint configuration in consumer VPC leads to the creation of an ENI in the subnet with a private IP address that...
Read more