A Practical Guide To Deploying A Three-tier Application On AWS

Kelvin Onuchukwu - Jun 1 '23 - - Dev Community

This post was originally published at Practical Cloud.

View the longer, original version here.

Multi-tiered architectures have become the most popular ways of designing and building applications in the cloud. This is primarily because they offer high availability, replication, flexibility, security and many other numerous benefits. This is as opposed to single-tier architectures which typically involves packaging all the requisite components of a software application into a single server.

The most popular multi-tier design pattern is a three-tier architecture. The three-tier architecture consists of the following layers:

  • Presentation Layer: This is the outermost layer of the application and provides an interface for interacting with the user. It also provides a secure communication channel with the other tiers.
  • Logic Layer: This is where information is processed and application logic is executed. It processes input from the presentation layers, processes it and also communicates with the data layer when necessary. it is also known as the application layer or middleware.
  • Data Layer: This is where the database management system sits, thus providing it with a secure, isolated environment for storing and managing application information.

In this guide, we are going to design a very fault-tolerant, highly scalable Flask application on AWS using the three-tier architecture design pattern.

Architectural Design

The Presentation layer will comprise of; Cloudfront, Elastic Load Balancer, Internet Gateway, NAT Gateway and two Bastion Hosts.
The Application (Logic) Layer will consist of EC2 instances based on EBS volumes, provisioned through an Auto Scaling group.
The Data Layer will be made up of a PostgresQL Database with a Read Replica. The EC2 instances provisioned in the application layer will be connected to an Elastic Filesystem for data storage. So technically, the EFS is also residing in this layer.

Bonus:

  • AWS Route 53 will be used to provide a domain name for the application.
  • We will integrate ClodFront with the Application Load Balancer to provide worldwide accelerated content delivery and reduce latency.
  • Terraform will be used as the Infrastructure-as-code (IAC) tool to automate this whole process from end to end.

To automatically create this architecture from end to end, click on this Link to get the Terraform code.

This is a first-part of a three series project.
In the second project, we will implement DevOps on AWS via CodePipeline, CodeBuild and CodeDeploy.
The third project introduces a Reporting Layer into the architecture.
This part focuses soley on designing and deploying three-tier architecture for a Flask application on AWS.

Let's begin. Shall we?
Image description

Step 1: Create The Environment.

Firstly we will create a VPC. A virtual private cloud is a secure, isolated, networking environment hosted in a public Cloud. A VPC is more or less a virtual data center in the cloud. This is where most of our application resources will be hosted.

AWS VPC environment
My VPC has a name tag of project-x. This means that all other resources created within this VPC will have the prefix of "project-x".
You can also notice that I am assigning a CIDR block of 10.0.0.0/16 to my VPC. This is a block of private IP addresses from which my VPC resources will get their local addresses.

AWS VPC Console
Notice that I am in the us-east-1 region (North Virginia).
Our VPC will be provisioned in three availability zones. 6 subnets will be created in total. Three public and three private ones. The public subnets are public soley because an internet gateway will be attached to them.
Also notice that I am creating a NAT gateway. This NAT gateway will be used by the EC2 instances hosting our application to connect to the internet (E.g: For Updates).

Step 2: Create A Security Group

A security group acts like a firewall and determines how traffic will enter or exit instances.
Since our web servers will be hosted in the logic-tier, it is important that we restrict the type of traffic entering them.

The name of our security group will be "project-x-logic-tier-sg"
The security group must allow inbound traffic on port 5000 since that is the port on which Flask listens on.

Creating a security group

Step 3: Create A Launch Template

A Launch Template is a way of specifying important configuration details such that we can then launch instances using the details in the template. This template will be used by an auto scaling group to create instances in our Application tier.

AWS EC2 Management Console
I assigned a name and description to my template. Notice also that i duly tagged the environment as "prod".

Ec2 Console
I am using a "t3.xlarge" instance type.
Be sure to select the "project-x-logic-tier-sg" security group.
Leave every other detting as is.
Under "Advanced details", I am going to paste in the following under user data:



#!/bin/bash

# Mount EFS
fsname=fs-093de1afae7166759.efs.us-east-1.amazonaws.com # You must change this value to represent your EFS DNS name.
mkdir /efs
mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport $fsname:/ /efs

# install and set up Flask
apt update
apt upgrade -y
apt install python3-flask mysql-client mysql-server python3-pip python3-venv -y
apt install sox ffmpeg libcairo2 libcairo2-dev -y
apt install python3-dev default-libmysqlclient-dev build-essential -y



Enter fullscreen mode Exit fullscreen mode

Step 4: Create an Autoscaling Group, Elastic Load balancer And Target Group

The Load balancer is the entry point to the application.
The Application Load Balancer, residing in the presentation layer, will route traffic through the AutoScaling Group to logic-tier instances residing in the logic layer.

EC2 Management Console

Creating an autoscaling group
I am naming this Autoscaling group "project-x-asg"
Click on next. Select the "project-x-vpc" we created earlier. Also make sure that you select only the private subnets from the three availability zones. This is very crucial since our VPC will be launched in the logic tier. The subnets must not be public.

Creating an ASG

Click on next.
Under "Configure advanced options", select "Attach to a new load balancer". Also select "Create a target group".
On the next page, we'll configure our ASG to have a minium capacity of 2, a desired capacity of 4 and a maximum capacity of 6. We'll also set up scaling based on target tracking metrics to scale based on average CPU Utilization.

Create an ASG
You can decide to add tags. I'll add a tag name of "Environment" with a value of "Prod". this will be needed during the CodeDeploy stage.

creating an ASG

Create your ASG.

Step 5: Attach An Elastic Filesystem

AWS EFS is a fully managed, highly scalable shared storage solution in the cloud. It is NFS compatible.
This Elastic filesystem will provide shared storage for all our application tier servers. Since it provides storage, EFS sits in the data layer of the three tier architecture.

First Create a new security group. This security group should allow only inbound NFS traffic from the security group of our logic-tier instances. You can get a detailed guide on how to create that Here
**
Go to the EFS console. Click on "
Create filesystem*" and then click on **customize*.

EFS Console

Assign a name to your EFS. Leave every other setting as default. Click on Next.

EFS Console
On the Network access page, select your propject-x VPC. Select the EFS security group you have created. Click on next.

Under Filesystem Policy, leave everything as default.
EFS Console

Skip to Review and then Create your filesystem.
Now we must update our user data to look like this:



#!/bin/bash

# Use Google's DNS
echo "nameserver 8.8.8.8" >> /etc/resolv.conf

# Force apt to use IPV4
apt-get -o Acquire::ForceIPv4=true update

# Change hostname
echo "project-x-app-server" > /etc/hostname

# Install efs-utils
apt-get install awscli -y
mkdir /efs
sudo apt-get -y install git binutils
git clone https://github.com/aws/efs-utils
cd /efs-utils
./build-deb.sh
apt-get -y install ./build/amazon-efs-utils*deb

# Mount EFS
fsname=$(aws efs describe-file-systems --region us-east-1 --creation-token project-x --output table |grep FileSystemId |awk '{print $(NF-1)}')
mount -t efs $fsname /efs

# Get DB credentials
DB=$(aws rds describe-db-instances --db-instance-identifier --region us-east-1 database-1 --output table |grep DBName |awk '{print $(NF-1)}')
HOST=$( aws rds describe-db-instances --db-instance-identifier --region us-east-1 database-1 --output table |grep Address |awk '{print $(NF-1)}')
ARN=$(aws secretsmanager list-secrets --region us-east-1 --filters "Key=tag-value, Values=project-x-rds-mysqldb-instance" --output table |grep ARN |awk '{print $(NF-1)}')
USER=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id $ARN --output table |grep -w SecretString |awk '{print $3}' |cut -d: -f2 |sed 's/password//' |tr -d '",')
PRE_PASSWORD=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id $ARN --output table |grep -w SecretString |awk '{print $3}' |cut -d: -f3 |tr -d '"')
PASSWORD=${PRE_PASSWORD%?}

# install and set up Flask
apt-get update -y && apt-get upgrade -y 
apt-get install python3-flask mysql-client mysql-server python3-pip python3-venv -y 
apt-get install sox ffmpeg libcairo2 libcairo2-dev -y 
apt-get install python3-dev default-libmysqlclient-dev build-essential -y 

# Clone the app
cd /
git clone https://github.com/Kelvinskell/terra-tier.git
cd /terra-tier

# Populate App with environmental variables
echo "MYSQL_ROOT_PASSWORD=$PASSWORD" > .env
cd /terra-tier/application
echo "MYSQL_DB=$DB" > .env
echo "MYSQL_HOST=$HOST" >> .env
echo "MYSQL_USER=$USER" >> .env
echo "DATABASE_PASSWORD=$PASSWORD" >> .env
echo "MYSQL_ROOT_PASSWORD=$PASSWORD" >> .env
echo "SECRET_KEY=08dae760c2488d8a0dca1bfb" >> .env # FLASK EXTENSION KEY. NOT NECESSARILY A "SECRET".
echo "API_KEY=f39307bb61fb31ea2c458479762b9acc" >> .env 
# YOU TYPICALLY DON'T ADD SECRETS SUCH AS API KEYS AS PART OF SOURCE CONTROL IN PLAIN TEXT.
# THIS IS BEIGN ADDED HERE SO THAT YOU CAN EASILY REPLICATE THIS INFRASTRUCTURE WITHOUT ANY HASSLES.
# YOU CAN REPLACE IT WITH YOUR OWN MEDIASTACK API KEY.

# Setup virtual environment
cd /terra-tier
python3 -m venv venv
source venv/bin/activate

# Run Flask Application
pip install -r requirements.txt
export FLASK_APP=run.py
export FLASK_ENV=production
flask run -h 0.0.0.0


Enter fullscreen mode Exit fullscreen mode

Here is where you find your filesystem's DNS name.
AWS EFs Console
Make sure to change the value of the "fsname" variable to represent your own filesystem's DNS name.

Step 6: Create A Bastion Host

A Bastion Host is a special server used to manage access to servers sitting in an internal network or other private AWS resources from an external network. The bastion host sits in the public network and provides limited access to administrators to log in to servers sitting in an isolated network. It is also commonly referred to as a Jump Box or Jump Server.

From the bastion host, we'll be able to gain SSH access into our application layer servers, for administrative purposes.

Here is a good resource on how to create your bastion host and connect to your logic layer servers through it.
Security Caution: Connecting to bastion hosts using ssh key-pairs is no longer the recommended practice. Instead use AWS Systems Manager for a more secure connection and tunneling through the bastion host to your private instances.

Step 7: Create A Database

The database solidly sits in the data layer, together with the Elastic filesystem.
Our Flask application will need to connect to a relational database. We will be using MYSQL for this architecure.
MYSQL is a widely relational database management system (DBMS) which is free and open source. MYSQL is renowned for its ability to support large production workloads, hence its suitability for our project.

We will however be utilizing Amazon RDS for MYSQL. It is a fully managed database solution in the cloud.

On the RDS Console, click on Databases and then clcik on "Create database".

RDS Console
I am selecting a Production template and choosing Multi-AZ DB-instance.
AWS RDS Console

Select your master username and DB Instance Class. We'll be using AWS SEcrets manager for managing our DB credentials.

Creating RDS database

Under "Connectivity", select the project-x-vpc. Click on "Create a new security group".
Create MYSQL RDS

Create a security group that only allows incoming traffic on port 3306 from security group of the application layer servers. Select the security group.

Under "Database Authentication", choose "password".

Go down to "Advanced Options", Under "database name", choose "newsreadb". (You must choose this exact name for the Flask App to be able to connect to the database).

Click on Create database.

Now our architecture is almost ready !!!
AWS 3-tier Architecture

To connect to the database, our application will execute API calls to AWS Secrets Manager in order to get the DB credentials. Therefore, we must create an IAM role that allows it to perform that. We will also modify the launch template to attach the role as instance profile for our application layer servers.

Step 8: Create An IAM Role And Modify Launch Template

Go to the IAM Dashboard and click on Roles.
Click on Create Role. Under UseCase, select EC2 and click Next.
Search for secrets and select the permission that pops up.

AWS IAM Dashboard

Click on next and click on Create Role.

Next, we'll need to modify our launch template to include this role so that our logic tier servers can assume it to communicate with AWS Secrets Manager.

Go to the EC2 Console, select launch templates, Actions and click on "Modify launch template"

Modify launch template

Go to "Advanced details", Click on the box under IAM instance profile and then select your newly created role. Click on Create.
Launch template

Finally, be sure to set the new version as the default version.

Launch template

AND YOU're DONE !!!!!!!
Our three-tier application should now be up and running.

Step 9: Accessing Your Application

If you have followed through with all these steps, Congrats.
Now to access your application, you have to visit the EC2 console to get the domain name of your load balancer.

Go to the EC2 Console and click on Load Balancers.

EC@ Load balancer

Copy the DNS Name

AWS EC2 Console: Load balancer

Now paste this into a web browser.

Flask app running on AWS

Flask app running on AWS using 3-tier architecture

Flask Appplication running on AWs using 3-tier architecture

That's it. If you made it this far, Congratulations.

. . . . . . . . . . . . . . . . . .