AWS Project:
Deploy a Dynamic Website on AWS

This project involves building a dynamic website on AWS using a 3-tier VPC architecture with public and private subnets, an Internet Gateway (IG), and NAT Gateways to provide a highly secure network environment. MySQL RDS and Workbench were employed to ensure scalability and high availability of the database. EC2 instances, ALB, ASG, and Route 53 were utilized to ensure high availability and scalability of the website, while S3 was used for storage and backup. IAM Roles were implemented to manage access to the resources, and AMI was utilized to create and launch instances. Finally, SNS and Certificate Manager were used to manage notifications and SSL/TLS certificates, ensuring the security of the website. Project provided by AOSNote.

Step 1: Build a Three-Tier AWS Network VPC from Scratch

Building a three-tier AWS network VPC from scratch involves creating a Virtual Private Cloud (VPC) from the AWS Management Console, setting up subnets for each tier (public, private, and database), and configuring routing tables and security groups to ensure traffic flows securely between the tiers. The VPC can then be launched with instances for each tier, and load balancers can be added for high availability and scalability.

1. Create a new VPC using the CIDR range from our reference architecture.

2. Enable DNS hostnames. Enabling DNS hostnames in an AWS VPC allows instances within the VPC to have DNS names associated with their IP addresses.

3. Create an Internet Gateway. The Internet Gateway is crucial for enabling internet traffic to enter and exit a VPC, allowing instances, NAT gateways, etc. within public subnets to have a public IP address and be directly accessible from the internet.

4. Attach the Internet Gateway to our VPC. We can only attach one Internet Gateway to a VPC at a time.

5. Create two public subnets in two different availability zones for high availability. We will create these with different CIDR blocks, since subnets cannot have overlapping CIDR blocks.

6. Enable auto-assign public IPv4 address for both subnets.

7. Create a new public route table. When a new VPC is created, a Main route table is automatically created and associated with all subnets within the VPC. We will add a public route to our own public route table and associate our previously made public subnets with it.

8. Add a public route to the table. We'll do this by adding a target for our Internet Gateway.

9. Associate our previously made public subnets with the public route table.

10. Lastly, we will create four private subnets that will host our apps and databases. Two in Availability Zone 1 (AZ1), and two in AZ2. This will leave us with six subnets.

In a VPC, subnets can be designated as public or private based on their route table configuration. Public subnets are associated with a route table that has a route to an internet gateway, and private subnets are associated with a route table that does not have a route to an internet gateway.

Subnets not associated with a route table default to the Main route table, which is private by default.

Step 2: Create NAT Gateways

A NAT gateway allows instances in private subnets to securely access the internet or other AWS services, without needing public IP addresses or self-managed NAT.

1. Create a NAT gateway for AZ1 and allocate an elastic IP. This provides a static IP address that does not change even if the NAT gateway is stopped or restarted, and it ensures that the IP address of the NAT gateway remains constant, making it easier to maintain connectivity and security for external communication.

2. Create a private route table.

3. Add a route to our NAT gateway to route traffic to the internet.

4. Associate our private web and data subnets in AZ1 to the table.

5. Replicate steps 1-4, but this time for the subnets in AZ2.

Step 3: Create Security Groups

Security groups control the inbound and outbound traffic for resources in a VPC. They use rules to allow or block traffic based on protocol, IP addresses, and ports. We will create five security groups to control inbound traffic for our webservers.

1. Create the application load balancer security group. Inbound rules will allow access from HTTP (Port 80) and HTTPS (Port 443). We will add this security group to the application load balancer we create.

2. Create the SSH security group. Inbound rules will allow access from SSH (Port 22). We will limit this to only our IP address.

3. Create the webserver security group. Inbound rules will allow access from HTTP (Port 80), HTTPS (Port 443), and SSH (Port 22), and the source is our ALB and SSH security groups. We will add this security group to our EC2 instances.

4. Create the database security group. Inbound rules will allow access from port 3306, and the source will be our webserver security group. We will add this to our database instance.

Step 4: Launch a MySQL RDS Instance

Amazon Relational Database Service (Amazon RDS) is a fully managed database service provided by AWS that makes it easy to set up, operate, and scale a relational database in the cloud. With Amazon RDS, you can choose from six popular relational database engines, including MySQL, PostgreSQL, Oracle, SQL Server, MariaDB, and Amazon Aurora.

In this project, we will use MySQL as our database engine.

1. Create subnet groups. These will allow us to specify which subnets we want to create our RDS database in (Private Data Subnet AZ1 and Private Data Subnet AZ2).

2. Create the RDS database. We will create this, the Master DB, in Availability Zone 2 and have a stand-by in AZ1.

Step 5: Create an S3 Bucket and Upload a File

Amazon S3 is a cloud-based storage service that provides users with scalable, reliable, and secure object storage capabilities. We will use it to upload and store our application webfiles.

1. Create the S3 bucket.

2. Upload the webfiles into our newly created bucket.

Step 6: Create an IAM Role for the S3 Policy

An IAM role can be used to allow users or services to assume specific permissions to access S3 buckets. It helps to ensure that only authorized users or services can access the S3 bucket, and data remains secure.

1. Create an IAM role and attach the AmazonS3FullAccess permissions policy. This will allow our EC2 instance to download the file inside the bucket.

Step 7: Launch the Setup Server

We will now launch the EC2 instance setup server. We will utilize this instance to import the SQL data for our application into the RDS database, and then to install and configure our application. We'll deploy it in the public subnet for ease of installation.

1. Create a key pair. We will use this to SSH into our EC2 instance.

2. Change permissions on our key. This will set the read-only permission for the owner of the file, and no permissions for anyone else.

3. Launch our setup EC2 instance with our three security groups: webserver security group, ALB security group, and SSH security group.

Step 8: Use MySQL Workbench to Import Data into the RDS Database

We will use MySQL Workbench and our Setup Server to import the SQL data for our application into the RDS database. To connect to an AWS RDS instance using MySQL Workbench, we can create a new connection using the "Standard TCP/IP over SSH" method, specifying the appropriate credentials and SSH settings. Once connected, we can manage and administer the RDS instance using MySQL Workbench's graphical interface.

1. Connect to the database.

2. Import the SQL file for our application.

Anytime you have to import data for your application to RDS, this is one method you can use.

Step 9: Install a Dynamic Website on an EC2 Instance LAMP Stack

LAMP stands for Linux operating system, Apache web server, MySQL database, and PHP programming language. Using an EC2 Instance LAMP stack, we can quickly and easily deploy and run web applications that require a dynamic server-side scripting language such as PHP, as well as a powerful and scalable database management system such as MySQL.

Now we'll use the Setup Server to install and configure our website.

1. SSH into our Setup Server.

2. Update our EC2 instance.

3. Install Apache.

4. Install PHP, version 7.4.

5. Install MySQL, version 5.7.

6. Download the application zip file from S3 to the html directory.

7. Unzip the app zip folder.

8. Move all the files and folder from the app folder directory to the html directory.

9. Move all the hidden files from the app folder directory to the html directory.

10. Delete the app and app.zip folder.

11. Enable mod_rewrite on ec2 linux.

12. Set permissions.

13. Add database credentials.

14. Restart the Apache server.

Our website is now available.

Step 10: Create an AMI

Now that we've finished using our Setup Server instance to install and configure our web application, we can stop it and create an Amazon Machine Image (AMI) from it. This AMI can be used to launch new instances with the same configuration and settings as the original instance, making it easier to replicate the web application environment.

1. Stop the Setup Server instance.

2. Create the AMI.

Step 11: Create an Application Load Balancer

An Application Load Balancer (ALB) is a service that routes incoming traffic to multiple targets based on the content of the request, such as the URL or HTTP header. ALBs operate at the application layer (Layer 7) and support features like SSL/TLS termination, health checks, and content-based routing.

1. Launch an EC2 instance in the private subnet AZ1.

2. Create a target group. To access the website we installed on the EC2 instance, we will put it in the target group to allow the ALB to route traffic to it.

Make sure to add status success codes 301 and 302, so we can redirect traffic from HTTP to HTTPS.

3. Create the application load balancer.

4. We can now delete our Setup Server.

Step 12: Register a New Domain Name in Route 53 and Create a Record Set

We will create a domain name for our website and use Route 53 as a service that helps people find that website on the internet. It will ensure that people can access the website easily and reliably.

1. Create a domain name.

2. Create a record. Creating a Route 53 alias record for an Application Load Balancer involves mapping the website or application's domain name to the ALB. This directs traffic to the targets behind the ALB. The user must specify the DNS name of the ALB and routing policy when creating the alias record.

Step 13: Register for an SSL Certificate in AWS Certificate Manager

We will use an SSL Certificate to encrypt all communications between the web browser and our webservers. This is also referred to as encryption in transit.

Currently we are not secure.

1. Create a public SSL Certificate in AWS Certificate Manager.

2. Create DNS records in Amazon Route 53. This is a validation process designed to ensure that only the domain owner can obtain the SSL certificate.

Our certificate is good to go.

Step 14: Secure the Website with ACM SSL Certificate

Using the SSL Certificate we just registered, we will secure our website. We will create an HTTPS (SSL) listener for our ALB. This involves configuring the ALB to handle SSL/TLS encryption for incoming requests and requires associating the SSL certificate we created with the ALB's listener configuration. Once configured, the ALB can decrypt and forward incoming HTTPS requests to the appropriate backend target group.

1. Add listener.

2. Redirect traffic to the HTTPS listener from the HTTP listener.

3. Check that our website is now secure.

Our website doesn't look quite right because we are now redirecting traffic from HTTP to HTTPS. We must SSH into our EC2 instance and update one of our configuration files to reflect that change.

Step 15: SSH into an Instance in the Private Subnet

We will now SSH into the EC2 instance in our private subnet to update the configuration file so that our website can load properly. To do so, we'll first have to launch a bastion host.

A bastion host is a dedicated server instance used to securely connect to other servers within a private network. It provides an additional layer of security by acting as a gateway that provides access control for remote connections.

1. Create the bastion host in the public subnet.

2. First we will run the command that will allow us to SSH from the bastion host to any instance in the private subnet.

3. SSH into our bastion host.

4. SSH into the private webserver in AZ1. We will do this by using the instance's private IP address.

5. Edit the .env file.

6. Edit the AppServiceProvider.php file.

7. After restarting the Apache server, our website should properly function again.

Step 16: Create Another AMI

Since we made changes to the configuration files on our instance, we will create a new AMI to reflect those changes.

1. Create a new AMI.

2. Check that the AMI has a snapshot. A snapshot is a backup of an EC2 instance that contains all the information needed to launch a new instance with the same configuration as the original. When a snapshot is created, a copy of the instance's data is stored in S3.

Step 17: Create an Auto Scaling Group

An Auto Scaling Group (ASG) is a group of EC2 instances that can automatically scale up or down based on demand. This helps maintain the required number of instances for the application to handle variable traffic loads without downtime or performance degradation.

1. Terminate the EC2 instances we previously created manually. We no longer need them.

2. Create a launch template. This contains the configurations of our AMI that the ASG will use to launch new instances in the private app subnets.

3. Create the auto scaling group.

Add an SNS topic to the ASG. This will notify subscribers (we'll get notified via email) when events are triggered, such as when instances launch, terminate, fail to launch, and fail to terminate.

We now have two instances running in our ASG, one in AZ1 and one in AZ2.

4. Check that these instances have been added to our target group.

Our dynamic website is complete and running!

Step 18: Terminate Resources

To complete this project, we will delete the resources we created to avoid unwanted charges. This includes our ASG, launch templates, ALB, target group, RDS, bastion host, security groups, NAT gateways, AMIs, snapshots, VPC, elastic IPs, S3 bucket, S3 IAM role, and record sets.

Project Complete!