AWS Project:
Deploy a Static Website on AWS

This project involves deploying a web application on AWS using a combination of services. It will include configuring NAT Gateways, Security Groups, an Application Load Balancer (ALB), Route 53, Auto Scaling Groups (ASG), AWS Certificate Manager (ACM), and SSL certificates. The setup will ensure that the application is highly available, secure, and can handle fluctuations in traffic by automatically scaling up or down based on demand. The SSL certificate will be used to encrypt communication between the users and the application. The final setup will enable the users to access the application using a custom domain name via the ALB, which will route traffic to the appropriate instances in the ASG.

Step 1: Build a Three-Tier AWS Network VPC from Scratch

Building a three-tier AWS network VPC from scratch involves creating a Virtual Private Cloud (VPC) from the AWS Management Console, setting up subnets for each tier (public, private, and database (which we will not use in this project)), and configuring routing tables and security groups to ensure traffic flows securely between the tiers. The VPC can then be launched with instances for each tier, and load balancers can be added for high availability and scalability.

1. Create a new VPC using the CIDR range from our reference architecture.

2. Enable DNS hostnames. Enabling DNS hostnames in an AWS VPC allows instances within the VPC to have DNS names associated with their IP addresses.

3. Create an Internet Gateway. The Internet Gateway is crucial for enabling internet traffic to enter and exit a VPC, allowing instances, NAT gateways, etc. within public subnets to have a public IP address and be directly accessible from the internet.

4. Attach the Internet Gateway to our VPC. We can only attach one Internet Gateway to a VPC at a time.

5. Create two public subnets in two different availability zones for high availability. We will create these with different CIDR blocks, since subnets cannot have overlapping CIDR blocks.

6. Enable auto-assign public IPv4 address. Subnets with this enabled can allow traffic to be routed to the internet gateway through our default Main route table.

7. Create a new public route table. When a new VPC is created, a Main route table is automatically created and associated with all subnets within the VPC. We will add a public route to our own public route table and associate our previously made public subnets with it.

8. Add a public route to the table.

9. Associate our previously made public subnets with the route table.

10. Lastly, we will create four private subnets. Two in Availability Zone 1 (AZ1), and two in AZ2. This will leave us with six subnets.

In a VPC, subnets can be designated as public or private based on their route table configuration. Public subnets are associated with a route table that has a route to an internet gateway, and private subnets are associated with a route table that does not have a route to an internet gateway.

Subnets not associated with a route table default to the Main route table, which is private by default.

Step 2: Create NAT Gateways

A NAT gateway allows instances in private subnets to securely access the internet or other AWS services, without needing public IP addresses or self-managed NAT.

1. Create a NAT gateway for AZ1 and allocate an elastic IP. This provides a static IP address that does not change even if the NAT gateway is stopped or restarted, and it ensures that the IP address of the NAT gateway remains constant, making it easier to maintain connectivity and security for external communication.

2. Create a private route table.

3. Add a route to our NAT gateway to route traffic to the internet.

4. Associate our private web and data subnets in AZ1 to the table.

5. Replicate steps 1-4, but this time for the subnets in AZ2.

Step 3: Create Security Groups

Security groups control the inbound and outbound traffic for resources in a VPC. They use rules to allow or block traffic based on protocol, IP addresses, and ports. We will create three security groups to control inbound traffic for our webservers.

1. Create the application load balancer security group. Inbound rules will allow access from HTTP (Port 80) and HTTPS (Port 443). We will add this security group to the application load balancer we create.

2. Create the SSH security group. Inbound rules will allow access from SSH (Port 22). We will limit this to only our IP address.

3. Create the webserver security group. Inbound rules will allow access from HTTP (Port 80), HTTPS (Port 443), and SSH (Port 22). We will add this security group to our EC2 instances.

Step 4: Create an Application Load Balancer

An Application Load Balancer (ALB) is a service that routes incoming traffic to multiple targets based on the content of the request, such as the URL or HTTP header. ALBs operate at the application layer (Layer 7) and support features like SSL/TLS termination, health checks, and content-based routing.

1. Launch EC2 instances in both private subnets. These will hold our webservers that will host our website, one in AZ1 and the other in AZ2.

2. Create the application load balancer. Our target group will be the two instances we just created.

Step 5: Register a New Domain Name in Route 53 and Create a Record Set

We will create a domain name for our website and use Route 53 as a service that helps people find that website on the internet. It will ensure that people can access the website easily and reliably.

1. Create a domain name.

2. Create a record.

Creating a Route 53 alias record for an Application Load Balancer involves mapping the website or application's domain name to the ALB. This directs traffic to the targets behind the ALB. The user must specify the DNS name of the ALB and routing policy when creating the alias record.

Step 6: Register for an SSL Certificate in AWS Certificate Manager

We will use an SSL Certificate to encrypt all communications between the web browser and our webservers. This is also referred to as encryption in transit. Currently we are not secure.

1. Create a public SSL Certificate in AWS Certificate Manager.

2. Create DNS records in Amazon Route 53. This is a validation process designed to ensure that only the domain owner can obtain the SSL certificate.

Our certificate is good to go.

Step 7: Create an HTTPS (SSL) Listener for an Application Load Balancer

Creating an HTTPS (SSL) listener for an ALB involves configuring the ALB to handle SSL/TLS encryption for incoming requests. This requires associating the SSL certificate we created with the ALB's listener configuration. Once configured, the ALB can decrypt and forward incoming HTTPS requests to the appropriate backend target group. 1. Add listener.

2. Redirect traffic to the HTTPS listener from the HTTP listener.

Our website is now secure.

Step 8: Create an Auto Scaling Group

An Auto Scaling Group (ASG) is a group of EC2 instances that can automatically scale up or down based on demand. This helps maintain the required number of instances for the application to handle variable traffic loads without downtime or performance degradation.

1. Terminate the EC2 instances we previously created manually.

2. Create a launch template. This contains the configurations of our EC2 instance that the ASG will use to launch new instances in the private app subnets.

3. Create an ASG.

We now have two instances running in our ASG.

Step 9: Terminate Resources

To complete this project, we will delete the resources we created to avoid unwanted charges. This includes our ASG, launch templates, ALB, target group, security groups, NAT gateways, VPC, elastic IPs, record sets.

Project Complete!