Deploying a Private Application on AWS
Deploy a secure, private AWS application using Site-to-Site VPN with multi-region VPCs, load balancing, and Terraform IaC for an enterprise-level setup.
Mohamed S.
Amazon Employee
Published Aug 28, 2024
Last Modified Sep 5, 2024
This project showcases an advanced cloud architecture that deploys a private application on AWS, accessible only through a secure Site-to-Site VPN connection. The setup simulates an enterprise environment with the following key components:
- Client Network Simulation: A VPC in the us-east-2 region acts as the on-premises network.
- Application Hosting: A separate VPC in us-east-1 hosts the private application.
- Secure Connectivity: An AWS Site-to-Site VPN bridges the two VPCs, ensuring encrypted communication.
- Client VPC :
- Consists of two subnets: a private subnet hosting a client EC2 instance, and a public subnet hosting a Customer Gateway (CGW) instance.
- The client EC2 instance connects to the application using the DNS name access.myapp.internal through a Python script that sends GET requests every 5 seconds.
- The CGW instance serves as the gateway for the Client VPC, handling VPN termination with OpenSwan and DNS functionalities with dnsmasq.
- Application VPC :
- Includes an Amazon Route 53 (R53) inbound resolver endpoint to allow inbound traffic from the DNS server located in the on-premises network.
- An Application Load Balancer (ALB) forwards traffic to two EC2 instances running the web application, with access logs enabled.
- A Private Hosted Zone in Route 53 with an alias record matching access.myapp.internal to the ALB's FQDN.
- The web application is a Flask application with the following functionality:
- Connects to an ElastiCache Redis instance using the REDIS_HOST environment variable.
- Defines two routes: /health (returns a JSON response with the status "healthy") and / (the root route for visitor counting).
- When the root route is accessed, the application retrieves the current visitor count from Redis, increments it, stores the new count, generates a welcome message, and returns a JSON response with the message.
- Logs any exceptions and returns a JSON response with the error message and a 500 HTTP status code.
- Runs on 0.0.0.0 (all available interfaces) and listens on port 5000.
The project is implemented using Terraform, an Infrastructure as Code (IaC) tool that enables easy deployment and management of AWS resources. The Terraform configuration is organized into modules for better code organization and reusability. The main components of the project structure include:
main.tf
: The main Terraform file that orchestrates the deployment of the entire infrastructure across the two AWS regions.modules/
: A directory containing various Terraform modules responsible for creating and configuring specific resources, such as VPCs, EC2 instances, ALB, ElastiCache, Route53, and more.user_data_scripts/
: Directory containing user data scripts (app_user_data.sh
andclient_user_data.sh
) executed on the respective EC2 instances during launch for tasks like installing Docker, building the Flask application Docker image, running the application container, and configuring the client instance for DNS resolution.variables.tf
: File defining the input variables required for the Terraform configuration, allowing customization of the deployment based on specific requirements.
The main Terraform file (
main.tf
) orchestrates the deployment of the entire infrastructure by following these steps:- Provider Configuration :
- VPC and Networking Setup
- Security Groups
- VPN and VGW Setup
- ElastiCache Setup
- IAM and S3 Setup
- EC2 Instances for the Application
- Application Load Balancer (ALB)
- Customer Gateway (CGW) Setup
- DNS and Route53 Setup
- Client EC2 Instance
Prerequisites
- Terraform: Ensure that Terraform is installed on your system.
- AWS CLI: Configure the AWS CLI with the appropriate credentials to manage your AWS resources.
Deployment Steps
Step 1: Repository Cloning :
Step 2: AMI Configuration / S3 bucket name suggestion / S3 deletion (later)
Step 3: S3 Module Configuration
Update
./modules/s3/main.tf
:Step 4: Initialize and Validate Terraform Configuration
Step 5: Apply Terraform Configuration
Step 6: Deployment Verification
- Verify IPsec status in the CGW EC2 instance.
- Confirm VPN connection status in the App VPC region is "UP".
- Use AWS Systems Manager Session Manager to log into one of the App VPC instances.
- Test connectivity by pinging the Client EC2 instance's private IP from the App VPC instance.
- From the Client EC2 instance, ping AppInstance1 to confirm bi-directional connectivity.
Step 7: Test Web Application Access
- Verify the health status of targets in the ALB Target Group :
- Confirm the DNSmasq service is operational in the CGW EC2 instance. :
- Test DNS resolution of "access.myapp.internal" from the Client EC2 instance. :
- Execute the provided script on the client instance to verify web application accessibility.
Execute the following command :
Confirm the destruction when prompted.
- The deployment process typically takes around 15 minutes to complete.
- Always review and understand the changes before applying or destroying infrastructure.
- Ensure you have the necessary permissions in your AWS account to create and manage the resources defined in the Terraform configuration.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.