Open in app

Sign in

Write

Sign in

Configure network infrastructure of 3 tier application architecture between 2 different environments established in two different AWS Region

Soumya Sen
9 min readOct 7, 2020

--

Requirements:

1. An organisation has production environment setup in North Virginia region of US and development environment in Ohio region of US.

2. Each of the environment has one app subnet, one web subnet and one DB subnet where all the related servers will run.

3. Web server should be in public subnet. http and SSH request from internet is allowed to the web server. But Web server can send any request to internet. This will allow the web server to download the software

4. App and DB server should be in private network and can’t be accessed from internet. Web server can send SSH request to the private network

5. App server can download software from internet

6. DB servers from both the environments can access each other through private network

Solution Diagram:

Solution:

1. First, we will configure the infrastructure in Production Environment.

a. Open the AWS management console and login

b. Open the VPC services

c. Go to Your VPC option and click on Create VPC

d. Provide a name and five CIDR block of the Production Environment (ex. 10.20.0.0/16)

e. Click on Create VPC

f. Now we will create three subnets in the VPC.

g. Navigate to subnets menu

h. Create three subnets named app, web and DB and their CIDR blocks will be 10.20.10.0/24, 10.20.20.0/24 and 10.20.30.0/24. Web will public and rest two will be private subnet.

i. Once the subnets are created, next step is to create an internet gateway and attach it to the VPC. This will ensure the connection between production environment network and internet

j. Once the internet gateway is created, the next step is to create the NAT gateway for the app subnet. This will ensure the unidirectional network traffic between internet and app subnet. This way servers in app subnet can send request to internet and can receive response. But no request can be sent to these servers.

k. Attach an Elastic IP to this NAT Gateway. NAT gateway requires static IP address. So elastic IP needs to be attached to NAT gateway

l. Now is the time to create the route tables. Route tables will ensure the routes of the network traffic to and from the VPC subnets.

m. First create the route for web subnet which will be public. Select Route Table and click on create route table. Select the production environment VPC. Now in Routes other than the default route add one more route which will establish the internet connection with this subnet. To configure this, make the destination as 0.0.0.0/0 (this denotes all traffic) and target will be internet gateway. Attach the web subnet with this route table.

n. Next create a private route table for DB subnet. This will be private. So the default route table is enough for this. Attach the DB subnet with it.

o. After that create route table for app subnet which will be private. Now this subnet should be able to send any request to internet but only receive response, no internet request should receive this subnet. To do this in this route table other than the default route, make one more route where destination will be 0.0.0.0/0 (All traffic) and target will be NAT Gateway. Attach app subnet with it

p. Now Once the route table creation is finished, next is to create the firewall using security group and Network ACL.

q. In Security group we need to declare only the inbound and outbound requests to and from the subnet. Responses are automatically allowed in case of security group.

r. First, we will create security group for web subnet. Here, inbound requests will be http (80) and shh (22). And outbound request will be all traffic to all the destinations. So, got to security group. Click on Create security Group. Give a name (ex. Web) and select the VPC production environment. First inbound rule will be [type — SSH, protocol-TCP, Port range-22, Source-Anywhere]. Next will be [type — HTTP, protocol-TCP, Port range-80, Source-Anywhere]. In outbound rule [type- All traffic, destination- Anywhere]. Save the security group.

s. Next we will create security group for DB. As of now we will allow only SSH connection from web subnet and nothing else. Later as per the requirement of the servers, the modifications can be done. So, we will declare only inbound rule and no outbound rule. Inbound rule will be [type — SSH, protocol-TCP, Port range-22, Source-10.20.20.0/24 (this is CIDR of web subnet)]. Save the settings.

t. Next we will create security group for App subnet. SSH request will be allowed to this subnet from web subnet and it can send any request to internet. So, there will one SSH inbound request from web subnet [type — SSH, protocol-TCP, Port range-22, Source-10.20.20.0/24 (this is CIDR of web subnet)] and one outbound request rule to internet [type- All traffic, destination- Anywhere]

u. Now we are finished with security group configuration. Next will be Network ACL configuration. Now unlike Security group, Network ACLs need request and response both to be specified in the rules. So, let’s start with configuring NACLs for web subnet.

v. Go to Network ACLs tab and click on Create NACLs.

w. Give a name (ex. Web) and select the production environment VPC and save it.

Now edit the inbound rule. For web subnet the inbound rules will be like following

Now the first two rules will allow SSH and http requests to this subnet from anywhere. The third rule will allow any response from anywhere. Now the port range of response I have specified is for Linux OS as I am going to use Linux instance in AWS. Other OS can use different port ranges. Now if we see the rule numbers, here the lowest number has the highest priority. So, it’s good practice to give numbers as multiplication of 10 or 100, so that later you can insert rules in between them.

3. In outbound web subnet will have three rules. Two SSH rules which will allow this subnet to send SSH request to app and DB subnets and all responses to any destination. So that will be like following

4. Next we will configure NACLs for DB subnet. Here in inbound there will be only shh request from web subnet and response to web subnet. So, the rules will look like following

5. Next we will configure NACLs for DB subnet. Here in inbound there will be SSH request from web subnet, internet response from any network in internet. And in outbound there will be all traffic to internet. So, the rules will be like following.

6. 1. Network setup for our production environment is done. Now launch at least one amazon Linux instance for each of the network subnet.

7. First, we will create instance for web subnet. Here in Configure Instance Details section chose the production environment VPC as network and select the web subnet. Next in security group configuration select the web security group.

8. For app instance the subnet and security group will be app

9. And for DB instances the subnet and security group will be DB

10. Once the instances are ready try to login into the web instance using SSH from your local system. And this should be successful.

11. Now try to login to the app and DB instances through SSH from your local system and you will see that it is failing. Because firewall is blocking this.

12. Now try to login to the app and DB instances through SSH from web instance and you will see that it is successful. Because we have allowed this in our firewall configuration.

13. Now if you try to download some software in app and DB instances, you will observe that software can be downloaded in app instance, but not in DB instance.

14. Install apache server in web instance ($ sudo yum install -y httpd). And restart the service ($ sudo service httpd restart)

15. Now if you enter the public IP of the instance in browser you will see Apache server default page. This means http request is also allowed to our web subnet.

16. If all these scenarios are successful, then our network setup is successful.

17. Now configure the same setup for development network in Ohio region of United States. Make the subnet different.

18. For this example, I have made the VPC subnet 10.30.0.0/16

19. Web subnet — 10.30.20.0/24

20. App Subnet — 10.30.10.0/24

21. DB Subnet — 10.30.30.0/24

22. Once the setup is done and instances are created, test the network like we did for the production environment. If the test is successful, then our both the networks are ready.

23. Now as our both the networks are ready, the only step is left connecting both the network and implement a private route between both the DB subnets so that DB instances from both the network can make SSH request to each other.

24. To connect two different networks which are in different regions, AWS has peering connections option. Using VPC peering we can connect two different networks in different regions.

25. Go to the production environment which is in North Virginia. In the VPC menu, select peering connections.

26. Click on Create Peering Connection

27. In VPC requestor section select the Production environment VPC which is local to North Virginia

28. Select Another Region

29. Then provide the Development environment VPC id (which is local to Ohio region) in VPC Acceptor section. Now click on Create Peering Connection.

30. Now you can see the status is pending.

31. Go to the peering connection in Ohio region and you will see there is also the same connection is in pending status. Accept that from the action menu and you will see the peering is connected in both the region.

32. Now once the VPC peering is successfully configured, we need to configure the route tables, Security groups and NACLs.

33. Go to the Route table of the Production environment and select the Route of DB subnet. Click on Edit routes.

34. Add one more route other than the default one. Destination will be the DB subnet of Development network and target will be the peering connection id. [Destination — 10.30.30.0/24, Target — Peering connection id]

35. Now open the security group and select the SG for DB. Edit the inbound rule and add one rule — [Type- SSH, Source — 10.30.30.0/24]. And edit the outbound rule — [Type- SSH, Destination — 10.30.30.0/24]

36. Now open the NACL and select the NACL of DB subnet. In the inbound rule add the following rule which will allow SSH request from the DB subnet from Development Network. And SSH response from DB subnet from Development Network.

37. In outbound rule of DB subnet SSH request will be made to DB Subnet of Development Network and SSH response will be sent to DB subnet of Development network

38. Our Production environment is fully ready now. Go to Development Network Ohio region

39. Add one more route other than the default one. Destination will be the DB subnet of Production environment and target will be the peering connection id. [Destination — 10.20.30.0/24, Target — Peering connection id]

40. Now open the security group and select the SG for DB. Edit the inbound rule and add one rule — [Type- SSH, Source — 10.20.30.0/24]. And edit the outbound rule — [Type- SSH, Destination — 10.20.30.0/24]

41. Now open the NACL and select the NACL of DB subnet. In the inbound rule add the following rule which will allow SSH request from the DB subnet from Production Network. And SSH response from DB subnet from production Network.

42. In outbound rule of DB subnet SSH request will be made to DB Subnet of Production Network and SSH response will be sent to DB subnet of Production network

43. 1. Now our infrastructure is completely ready as per requirement. Login to instance of DB subnet of each of the network and try to SSH to the instance of another network’s DB subnet. And the connection should be successful.

Aws Vpc
Aws Infrastructure
Aws Nat Gateway
Aws Networking
Aws Solution Architect

--

--

Soumya Sen
Soumya Sen

Written by Soumya Sen

38 Followers
1 Following

Software Development Engineer in Test | DevOps Engineer | Python Developer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams