Note: Architectures illustrated are for educational purposes ONLY. They do no necessarily follow best practices and are NOT suitable for production.
The architecture implemented here deploys a dummy workload with a 3-tier architecture: the Web, Application, and Database tiers.
The Web Tier is an Application Load Balancer (ALB) that fronts a group of Application Tier instances managed by an EC2 Auto Scaling Group. The Application Tier instances run the PgAdmin4 tool. For the Database Tier, a PostgreSQL Database is set up using the Amazon Relational Database Service (RDS).
Some special features are introduced into the dummy workload to simulate real-world events, these include:
- Amazon GuardDuty Findings: https://github.com/awslabs/amazon-guardduty-tester
- Instance Stress Events: https://lindevs.com/install-stress-command-on-ubuntu
An Amazon Virtual Private Cloud (VPC) is deployed into 2 availability zones (AZs).
2 public web subnets are created for the Web Tier.
Also, 6 private subnets are created: 2 app subnets (for the Application Tier), 2 db subnets (for the Database Tier), & 2 misc subnets (for other miscellaneous activities).
Further, a NAT gateway is deployed in the public subnet to provide outbound internet access for instances in the private subnets (except the db subnets which are isolated). A Route 53 Private Hosted Zone is created and associated with the VPC.
Security Groups (SGs) are configured to facilitate inter-tier communication.
The alb SG allows all inbound HTTP connections.
The app SG allows HTTP traffic coming from the alb SG.
The db SG allows TCP traffic on port 5432 coming form the app SG.
An EC2 Launch Template is prepared for Application Tier instances.
It is configured to use the Ubuntu 20.04 AMI from AWS, the app SG, and an instance profile with the AWS managed policies: AmazonSSMFullAccess, CloudWatchFullAccess, & CloudWatchAgentServerPolicy.
Further, it applies a user data script that: - installs, configures, and launches the AWS CloudWatch Agent. The CloudWatch Agent is configured to collect memory-usage metrics in addition to the default collected metrics
- installs the
stresstool and creates a cron job that runs it every 15 minutes - creates a script that generates "phony" security risks for AWS GuardDuty (e.g., cryptocurrency mining, DNS Exfiltration, etc.) and a cron job that runs it every 5 minutes
- installs, configures, and starts PgAdmin4 server.
An Application Load Balancer (ALB) is created to represent the Web Tier.
It is configured to use the alb SG.
A default listener action is set up to forward traffic to a target group created to contain Application Tier instances.
An Autoscaling Group (ASG) is created to manage Application Tier instances.
The ASG is configured to use the EC2 launch template created and the app VPC subnets.
Also, it is configured to use Spot Instances whenever available.
An attachment is established to the created ALB target group.
A PostgreSQL Database is deployed into the VPC in the db subnets using Amazon Relational Database Service (RDS).
The database cluster is configured to use the db SG.
As an add-on, memory-based scaling is configured for the Application Tier instances via the ASG. A target-tracking scaling policy is employed to keep instance memory usage at around 50%.
- AWS account with programmatic access
cd terraform
# Deploy 3-tier application
cd base
terraform init
terraform plan
terraform apply --auto-approve
export ALB_HOSTNAME=$(terraform output alb_hostname)
# Deploy memory-based policy for Auto Scaling Group
cd ../memory_scaling
terraform init
terraform plan
terraform apply --auto-approve
# Launch App
# Open: http://${ALB_HOSTNAME}/pgadmin4 in a browser window- HA-Setup with 2 web (public) subnets, 2 app (private) subnets, and 2 db (private) subnets
- Internet access via IGW and NAT for private subnets
- Private DNS with Route53 Private Hosted Zone
- Create launch template with curated userdata scripts
- Attach an instance role with permissions for SSM: To enable access to the instances via SSM Session Manager.
- Attach an instance role with permissions for CloudWatch: To enable metric collection.
- Create an ALB SG that allows all inbound HTTP traffic
- Create an App SG that allows HTTP traffic from the ALB SG
- Create a DB SG that allows PostgreSQL traffic (TCP 5432) from the App SG
- Create an ASGs for the App Tier
- Configure an instance launch from created launch templates
- Allow mixed instances with spot instances having priority over on-demand instances
- Create an auto-scaling policy to dynamically scale on memory usage, with a target of 50% utilization.
- Attach the ASG to the ALB
- Bake AMIs for the database and application instances