Traditional Web Hosting on AWS
Challenge name | Cloud(s) | Challenge goal | Contributor |
---|---|---|---|
Traditional Web Hosting on AWS | AWS | Understand how to run your application in a traditional web architecture | @tonytalkstech and @loujaybee |
View or contribute to this challenge on GitHub!
Intro
The Cloud Resume Challenge uses many serverless technologies, such as Lambda and S3. This focus on serverless allows the challenger to focus on the application and delivery details without having to be bogged down with operational concerns, which is great! Delivering an application to the cloud is one of the most important skills to learn.
Many companies utilize a number of traditional technologies within AWS to deliver applications, most of which are less managed than the serverless technologies. These include Elastic Cloud Compute (EC2), which provides virtual machines in AWS, and Virtual Private Cloud (VPC), which provides virtual networking constructs in AWS.
This challenge is focused on adapting the Cloud Resume Challenge to provide a deeper dive into the traditional technologies, especially focused on the networking stacks within AWS.
Helpful reading
- AWS has a wonderful whitepaper that has a full implementation of this architecture.
- AWS VPCs are notoriously difficult to understand, so it’s helpful to read as much as possible. AWS’s VPC User Guide goes over as much detail as you could ever want. I would recommend focusing on Subnets, Route Tables, NAT Gateways, and Security Groups.
Challenge steps
- Create an EC2 instance based on an Amazon Linux 2 AMI from AWS. Use the default networking components that are given in your AWS account. Make the instance publicly accessible to the internet. Be aware that a running EC2 instance costs money. If you aren’t actively working on this challenge, remember to stop the instance. The lowest-cost EC2 instance is currently the
t4g.nano
, which costs ~$3/month. EC2 instances use Security Groups as host-based firewalls. Make sure your EC2 instance only allows HTTP (and, optionally, HTTPS) traffic from the public internet. - Install a web server using the
user_data
property on your EC2 instance, invokeyum
to downloadhttpd
(Apache). Make your EC2 instance return a simple HTML file when you access it from the public internet over HTTP (and, optionally, HTTPS). - Configure high availability by using duplicate EC2 instances in multiple Availability Zones in the same Region. Route traffic from the internet across each of the EC2 instances by using an Application Load Balancer. Application Load Balancers aren’t cheap. They currently are ~$28/month in the major US Regions.
- Setup Auto Scaling instead of manually creating new EC2 instances and adding each to the load balancer. Use EC2 Auto Scaling. You will always want at least two instances. For now, use CPU Utilization as the scaling metric until a more appropriate metric is available. Be sure to attach your Application Load Balancer to the Auto Scaling Group.
- Deploy your own AWS networking components. You will be creating a VPC to logically separate all deployed AWS resources. Within the VPC, you’ll create multiple Subnets. Create one for each Availability Zone in the Region. With a new VPC, you must re-create any Security Groups you previously created. Now that you have your own network, re-create your EC2 instances within the new Subnets. Once the old default network components are no longer in use, delete them.
- Secure your networking by moving your EC2 instances to a private subnet in your VPC. A private subnet is defined as one that does not have a NAT Gateway in it, so it cannot reach the public internet. Lock down your EC2 instance’s Security Groups to only allow traffic from the Application Load Balancer.
- Allow your web server to communicate with the internet. This will require you to update your network stack to create public subnets with NAT Gateways and route table rules to allow traffic from your private subnets to the public subnets.
- Migrate your resume to your EC2 web server instances. Remember to secure the traffic from the EC2 instances to the API Gateway by utilizing Security Group rules.
- Update DNS to point to your Application Load Balancer instead of your CloudFront distribution.
- Write up a blog post about what you learned! Include a diagram, specifically focusing on the networking details and security. Be sure to reflect on the particular challenges, especially with adapting the Cloud Resume Challenge to this traditional challenge.
Extra credit
- Setup infrastructure-as-code (IaC) instead of pointing and clicking within the AWS Console to create your AWS resources. Define your resources within a Terraform file. Get familiar with
terraform plan
andterraform apply
. Why Terraform? To learn an IaC tool that can be used across multiple cloud providers. - Create a deployment pipeline for multiple environments, such as a development environment and production environment. Deploy your Terraform resources using the same code (with different names and variables). Separate these environments by using two separate VPCs. Separate the pipelines by deploying to the production environment from the default branch (typically
main
), while every other branch deploys to the development environment. - Replace your Lambda function with an EC2 instances hosting the API. This should involve installing Apache (
httpd
) and Python on the new EC2 instances. Place these EC2 instances in a separate subnet than the web server instances and secure the traffic using Security Groups. This should allow you to remove the public subnets, as well.