Two-Tier Architecture for VPC in AWS

Two-Tier Architecture for VPC in AWS: A Detailed Explanation

Onkar Vilas Kotmire's photo
Onkar Vilas Kotmire
·

6 min read

In AWS, Virtual Private Cloud (VPC) allows you to set up a private network in the cloud, where you can launch AWS resources such as EC2 instances, databases, and more. A Two-Tier Architecture is one of the most commonly used setups for cloud applications, providing a clear separation of public-facing components and private components. In this architecture, you typically have two main layers: the public layer and the private layer.

In this blog, we’ll explore the two-tier architecture for VPC, its components, how to configure them, and a use case to help you understand how to deploy and navigate through it on AWS.

What is Two-Tier Architecture?

A Two-Tier Architecture is a design in which:

  • The first tier (Public Tier) contains components that need to be accessible from the internet, such as web servers.

  • The second tier (Private Tier) contains components that are kept isolated from direct internet access, such as database servers.

Components of Two-Tier Architecture

Let’s look at the essential components of a Two-Tier Architecture VPC setup on AWS:

1. Public Subnets

Public subnets are parts of your VPC that are directly connected to the internet. Resources in these subnets (like web servers or load balancers) can communicate with the internet.

2. Private Subnets

Private subnets are isolated from the internet. Resources in these subnets (like database servers or internal services) do not have direct access to the internet for security reasons.

3. EC2 Instances for Public Tier

These EC2 instances are typically web servers that host your application. They reside in the public subnet and are accessible from the internet through an Elastic IP or a Load Balancer.

4. Database Instance (Private Tier)

The database (e.g., Amazon RDS or EC2 with a database) is in the private subnet to ensure it is not directly exposed to the internet. Only the EC2 instances in the public subnet can communicate with it.

5. NAT Gateway

A NAT Gateway allows EC2 instances in private subnets to access the internet for tasks like software updates or API calls, without exposing them to incoming internet traffic.

6. Main Route Table

The main route table of the VPC defines the default routing for the network, directing traffic within the VPC and to the internet (through the Internet Gateway).

7. Route Table for Public Subnet

The route table for the public subnet will route traffic destined for the internet to the Internet Gateway.

8. Internet Gateway

The Internet Gateway connects your VPC to the internet, allowing resources in the public subnet to communicate with the outside world.

9. VPC Endpoint

A VPC Endpoint allows you to connect your VPC privately to AWS services like S3 or DynamoDB, without routing traffic over the internet.

Use Case: Setting Up a Simple Web Application

Let's walk through the navigation steps for setting up a simple web application using a Two-Tier Architecture on AWS. In this example, we’ll use EC2 instances for the web application (in the public subnet) and an RDS instance for the database (in the private subnet).

Step 1: Create a VPC

  1. Navigate to the VPC Dashboard in the AWS Console.

    • Go to the VPC section from the main AWS console.

    • Click Create VPC and specify a CIDR block (e.g., 10.0.0.0/16).

  2. Create subnets for public and private tiers.

    • Public Subnet: Create a subnet with a CIDR block like 10.0.0.0/24 in your VPC.

    • Private Subnet: Create another subnet with a CIDR block like 10.0.1.0/24 for the private tier.

Step 2: Set up the Route Tables

  1. Main Route Table:

    • AWS automatically creates a main route table for your VPC. You can use it for routing between subnets.

  2. Route Table for Public Subnet:

    • Create a new route table for the public subnet and associate it with the public subnet.

    • Add a route to the Internet Gateway.

  3. Route Table for Private Subnet:

    • Create a new route table for the private subnet.

    • Add a route to the NAT Gateway, which will allow outbound internet traffic from private resources.

Step 3: Set Up EC2 Instances (Public Tier)

  1. Launch EC2 Instances in the Public Subnet:

    • Go to EC2 in the AWS Console.

    • Launch an EC2 instance with a public IP in the public subnet. You can use a basic web server AMI like Amazon Linux or Ubuntu.

    • Make sure the instance is in the Public Subnet and attach a security group allowing HTTP/HTTPS traffic (ports 80 and 443).

  2. Install and Configure the Web Server:

    • Once the EC2 instance is running, SSH into the instance and set up your web server (e.g., Apache or Nginx).

Step 4: Set Up RDS Database (Private Tier)

  1. Create an RDS Instance:

    • Go to RDS in the AWS Console.

    • Launch a new database instance, choosing a database engine (e.g., MySQL, PostgreSQL) and configure it to run in the Private Subnet.

    • Ensure that the public accessibility is set to No to prevent direct internet access.

  2. Connect the EC2 Instance to the RDS Database:

    • Configure your web server to connect to the RDS instance by using the internal DNS name or private IP address of the RDS instance.

Step 5: Set Up NAT Gateway

  1. Create a NAT Gateway in the Public Subnet:

    • Go to VPC and select NAT Gateways.

    • Create a new NAT Gateway in the public subnet and associate it with an Elastic IP.

  2. Update Route Table for Private Subnet:

    • In the route table of the private subnet, ensure that traffic destined for the internet routes to the NAT Gateway.

Step 6: Attach Internet Gateway

  1. Create and Attach Internet Gateway:

    • Go to VPC, then Internet Gateways.

    • Create a new Internet Gateway and attach it to your VPC.

Step 7: Test Your Architecture

  1. Test Access to Web Server:

    • Open your web browser and access the EC2 instance’s public IP. You should see your web application running.

  2. Test Database Access:

    • Ensure that your EC2 instance in the public subnet can communicate with the RDS instance in the private subnet.

Summary

In this two-tier VPC architecture on AWS, the public subnet hosts EC2 instances that are exposed to the internet, while the private subnet hosts your database (RDS) that is not directly exposed. The NAT Gateway ensures that the private resources can access the internet for updates and services, while the Internet Gateway enables the public-facing resources to communicate with the world.

This architecture offers security, scalability, and high availability for cloud applications. It’s perfect for use cases where you want to separate web and database layers while ensuring that sensitive data and internal services are shielded from external access.

AWSvpcCloudDevopsnetworking