VPC
The architecture for this project consists of a three tier vpc network which would be used to isolate and segments of the AWS which will be used resources. The was created in 2 availability zones (us-east-1a and us-east-2a).
Each AZ zone has 3 tiers consisting of subnets for high availability:
Tier 1: Public subnet which would hold the NAT gateway, load balancer and the bastion host.
Tier 2: Is a private subnet which holds the web servers developed in the EC2. instances.
Tier 3: Is another private subnet which consist of database.
NAT Gateway
As the main resources are built in the private subnet, I used a Nat gateway in the public subnet to aid the private subnets (for app and data) to access the internet. The NAT gateway will initiate outbound internet traffic while preventing incoming traffic from reaching the in our private subnet resources hence adding a layer of security for the private subnet.
The NAT gateway will have an associated elastic IP address which I used to connect to a route table this route table will have an IP of 0.0.0.0/0 for internet routing traffic and local traffic of 10.0.0.0/16 on the VPC itself. Two NAT gateways are created in both availability zone and each NAT gateway is then associated with the two private subnets in its relative availability zone.
Security Groups
At this stage I Implemented 4 security groups which would further aid in the security controls on the traffic that is allowed to reach and leave the resources that is associated with.
These are:
Docker
The docker file would be to create a docker image, this image would consist of the web application which was developed using LAMP. The docker image would be pushed to AWS ECR which would the container would also retrieve elements directly from Github as part of the build.
The image consists of the following commands:
· Run & built on amazon linux.
· Install git on amazon linux image to enable retrieval from github.
· Retrieve and unzip the web app file directly from github (via personal access token & repository name).
· Install L.A.M.P package for the web app to run on.
· Create an HTML directory and clone the webapp in to HMTL directory.
· Enable mod_rewrite setting in the httpd.conf file.
· Access to the html directory
· Access to the storage directory
· Modify .ENV file and add database information.
· Access, copy and update the php file to direct http traffic to https.
· Expose Apache & MySQL to ports 80 3306.
IAM Roles
In this project I created 2 IAM roles, one for programmatic access and another for task definition.
A programmatic access is created in AWS, this is used to push the docker image into ECR using an admisnitrative role. Here we use the access key ID and secret access key to authenthicate with AWS from local using AWS CLI.
Task definitions, this will be used by the ECS service to access an environment file in the S3 bucket.
Bastion Host
The bastion host is be used to SSH into the private subnet so that the sql data used on the website can be migrated from local dev to RDS instance using Flyway (database info for RDS is required here).
Using an EC2 instance which will act as our bastion host with the key pair (private & public key) to SSH into the RDS instance which will be created in the public subnet AZ1. NOTE: the bastion host security group will be used here.
The sql script used in the RDS database can be seen in my github repository below.
ALB & ECS
I also created an application load balancer which would be used to route traffic to ECS task. The application load balancer is created in EC2, and a target group is used here. The purpose of the target group Its purpose is to route incoming HTTP/HTTPS traffic to a set of registered targets based on rules and conditions defined.
In the ALB I also added an HTTPS listener which would provide a secure communication channel between the application by encrypting traffic between clients and the load balancer. For further security I added a redirect of traffic from port 80 (HTTP) to port 443(HTTPS). The SSL certificate for the site was also added to the HTTPS listener.
ECS is focused on managing the execution of containers, while ECR is focused on storing and managing the container images that ECS or other container orchestration systems use. They are often used together in a typical containerised application workflow, where you build your container images, store them in ECR, and then deploy and manage them using ECS.
ECS task will be created which will automatically be added to the target group (using IP address) and the application load balancer can route the task to the target group.
NOTE worthy: ALB always has access to the public subnet and note the private subnet, hence this can not be created in the public subnet to reroute the required traffic. The ECS task will be part on a cluster which consist of the ALB, private subnets, security groups, HTTP listener, target group, auto scaling group.
Note: all HTTP is redirect to https traffic is being redirected to the target group for the application load balancer.
S3 Bucket
The S3 bucket will used to store the environment variables for the container in the ECR, therefore the ECS task will access the environment variable. The environment variable can also be accessed in the github repo.
