This template installs a highly available, scalable Nginx webserver using a multi-az Amazon RDS database instance for storage.
I. Create a s3 bucket and an IAM role
- S3 bucket
-
IAM role with AmazonSSMManagedInstanceCore and AmazonS3ReadOnlyAccess. These policies will allow our instances to download our code from S3 and use Systems Manager Session Manager to securely connect to our instances without SSH keys through the AWS console.
II. Networking
-
VPC
-
Subnets:
- 6 subnets:
- Public-Web-Subnet-AZ-1, Private-App-Subnet-AZ-1, Private-DB-Subnet-AZ-1, Public-Web-Subnet-AZ-2, Private-App-Subnet-AZ-2, Private-DB-Subnet-AZ-2.
- Route Tables
-
Internet Gateway:
- Attach the internet gateway to the vpc
-
NAT gateway:
- create two NAT Gateway in the two public az
-
Security Groups: 5 security groups
- The first security group you’ll create is for the public, internet-facing load balancer. After typing a name and description, add an inbound rule to allow HTTP-type traffic for your IP.
- The second security group you’ll create is for the public instances in the web tier. After typing a name and description, add an inbound rule that allows HTTP-type traffic from your internet-facing load balancer security group you created in the previous step. This will allow traffic from your public-facing load balancer to hit your instances. Then, add an additional rule allowing HTTP-type traffic for your IP. This will allow you to access your instance when we test.
- The third security group will be for our internal load balancer. Create this new security group and add an inbound rule that allows HTTP-type traffic from your public instance security group. This will allow traffic from your web tier instances to hit your internal load balancer.
- The fourth security group we’ll configure is for our private instances. After typing a name and description, add an inbound rule allowing TCP-type traffic on port 4000 from the internal load balancer security group you created in the previous step. Our app tier application is running on this port, allowing our internal load balancer to forward traffic on this port to our private instances. You should also add another route for port 4000 that allows your IP for testing.
- The fifth security group we’ll configure protects our private database instances. For this security group, add an inbound rule that will allow traffic from the private instance security group to the MYSQL/Aurora port (3306).
III. Deploy Database Layer
- Subnet Groups
- Multi-AZ Database