Sundhar's Blog

Building a Scalable and Secure Production-Grade Architecture on AWS

Hema Sundharam Kolla's photo
Hema Sundharam Kolla
·

6 min read

Table of contents

  2. AWS architecture

  3. Scalable cloud infrastructure

  4. Secure AWS deployment

  5. High availability AWS

  6. AWS VPC setup

  7. Auto Scaling Group AWS

  8. AWS load balancing

  9. AWS security best practices

  10. Cloud cost efficiency

  11. Multi-AZ deployment

    1. Region and Availability Zones

    • Region: This represents a geographical area that hosts your AWS infrastructure. Regions are independent of each other, ensuring fault isolation.

    • Availability Zones (AZs): These are physically separated data centers within a region. Deploying resources across multiple AZs ensures high availability and disaster recovery.

      • Example: If one AZ experiences a failure, the system can automatically failover to the other AZ.

    • 2. Virtual Private Cloud (VPC)

    • A VPC is your isolated network within AWS.

    • Purpose: It allows you to define IP ranges, create subnets, and configure routing tables to control the flow of traffic within your infrastructure.

    • This forms the foundation of networking, enabling private and secure communication between components.

    • 3. Subnets

    • Subnets partition your VPC into smaller network segments. This ensures controlled routing of traffic and better security.

    • Public Subnets:

      • These are exposed to the internet through an Internet Gateway.

      • Resources like the NAT Gateway and Load Balancers are placed here since they need to communicate with the public internet.

    • Private Subnets:

      • These are shielded from direct internet access.

      • Critical backend resources like EC2 instances and databases are hosted here to ensure isolation and security.

    • 4. S3 Gateway

    • The S3 Gateway enables your application to interact with Amazon S3 buckets for tasks like:

      • Storing static assets (e.g., images, CSS, JavaScript).

      • Managing backups and logs.

      • Accessing application data.

    • Benefits:

      • High durability and availability for your data.

      • Reduced complexity compared to traditional file systems.

    • 5. NAT Gateway

    • The NAT Gateway is used to allow instances in private subnets to initiate outbound traffic to the internet (e.g., to download software updates) while keeping them shielded from inbound public traffic.

    • Why NAT?:

      • Maintains security for private instances.

      • Efficiently routes traffic between private subnets and the internet.

    • 6. Application Load Balancer (ALB)

    • The ALB is a managed service used to distribute traffic across multiple EC2 instances within the private subnets.

    • Key Features:

      • Path-Based Routing: Routes traffic to different services based on the URL (e.g., /api vs /user).

      • Host-Based Routing: Directs traffic based on the requested domain (e.g., api.example.com vs www.example.com).

    • Why ALB?:

      • Improves performance by balancing the load across healthy instances.

      • Ensures zero downtime during scaling or instance failures.

    • 7. Auto Scaling Group

    • The Auto Scaling Group (ASG) automatically adjusts the number of running EC2 instances based on:

      • Traffic demand.

      • Health checks.

    • Benefits:

      • Handles traffic spikes by scaling out (adding more instances).

      • Saves costs by scaling in (removing unused instances) during low demand.

      • Improves reliability and availability by replacing unhealthy instances.

    • 8. Security Groups

    • Security Groups act as virtual firewalls for controlling inbound and outbound traffic at the instance or service level.

    • Key Rules:

      • Only allow traffic from the load balancer to EC2 instances in private subnets.

      • Restrict access to specific IPs for SSH or RDP into instances (if necessary).

    • Advantages:

      • Fine-grained control over traffic.

      • Enhanced protection from unauthorized access.

    • 9. Servers (EC2 Instances)

    • EC2 instances in the private subnet handle core application logic, APIs, or data processing tasks.

    • These instances are shielded from the public internet, ensuring they are secure and accessible only via:

      • The Load Balancer.

      • Peered VPCs or VPNs.

    • They also participate in the Auto Scaling Group for better resource utilization and availability.

    • Key Features of This Architecture

    • High Availability:

      • Multi-AZ deployment ensures that your application remains operational even if one AZ fails.

    • Scalability:

      • Auto Scaling Group handles dynamic demand.

      • Load Balancer ensures even distribution of traffic.

    • Security:

      • Private subnets isolate sensitive resources.

      • NAT Gateway provides secure outbound internet access for private resources.

      • Security Groups enforce strict access control.

    • Cost Efficiency:

      • Pay-as-you-go model for scalable resources like Auto Scaling and ALB.

      • Managed services like S3 reduce operational overhead.

    • Resilience:

      • Redundancy across AZs ensures resilience to failures.

Screenshots of the steps for creating the architecture described above.

VPC Creation:

Auto Scaling Groups :

Creating a Launch Template :

Instances are automatically created through the Auto Scaling Group, as shown below.

Now, to log into that instance, we need to create a bastion host because there is no public IP for the instances we created using the Auto Scaling Group. In order to access them, we will create a bastion host and copy our key pair file, which we use to log into the bastion. So, let's say for accessing the instances created by the Auto Scaling Group, we need a key. In order to access them, we need to copy that key file into the bastion host.

You can see here that there is no public IP. In order to log into this instance, we need to create a bastion host.

Select the VPC that we created initially.

Use the command above to copy the pem file into the bastion host to log into the other two instances, ensuring you use the same pem file as when creating the Auto Scaling Group; otherwise, you need to copy the key file used during the Auto Scaling Group creation.

Try the following:

bashCopy codescp -i "C:/Users/HP India/Downloads/cdpro.pem" "C:/Users/HP India/Downloads/cdpro.pem" ubuntu@18.232.113.15:/home/ubuntu

I copied the file into the bastion host, and to log in to the instance created by the Auto Scaling Group, I need to use the following command.

ssh -i cdpro. pem ubuntu@10.0.145.117

Hurray! Successfully logged into the instance created by the Auto Scaling Group.

Now let's deploy a simple HTML application.

Creation of Load Balancer :

Awesome deploys an HTML application in this production project.

Conclusion:

In conclusion, building a scalable and secure production-grade architecture on AWS involves a strategic combination of various services and best practices. By leveraging AWS regions and availability zones, you ensure fault isolation and high availability. The use of Virtual Private Clouds (VPCs) and subnets provides a secure and organized network structure, while services like NAT Gateways and Application Load Balancers enhance security and performance. Auto Scaling Groups and EC2 instances ensure that your application can handle varying traffic demands efficiently. Security Groups offer fine-grained control over access, maintaining the integrity and confidentiality of your resources. This architecture not only supports high availability and scalability but also emphasizes security and cost efficiency, making it a robust solution for modern cloud-based applications.

aws-learnings-projectsaws productioncloud-chronicles-awsAWSDevopsnetworkingAWS Certified Solutions Architect Associateaws devopsaws securityaws-servicesDevops articlesDevOps Journey#DevopscommunityDevOps trendsLinkedIn