Building a highly available application on Amazon Virtual Private Cloud

High Availability is the fundamental feature of building software solutions in a cloud environment. Traditionally high availability has been a very costly affair but now with AWS, one can leverage a number of AWS services for high availability or potentially “always availability” scenario. Here is an excellent step by step document to build a highly available application stack on AWS written by our Cloud Support Engineer Santhoshkumar.

Lab Overview

The diagram illustrates what we will build

Create the Base VPC

  • On the services menu click VPC

  • Click start VPC wizard

  • Click on the VPC with Public and Private subnets tab and then click “select” button

  • We can change the network class here. The default network range is class A

  • Under the public subnet section choose the IP address range (10.0.0.0/24)and choose the availability zone.

  • Under the private subnet section choose the IP address range (10.0.1.0/24)and choose the availability zone.

  • In the specify the details of your NAT gateway section, click on “Use a NAT gateway instead” (on the right)

  • From the keypair name, choose the keypair

  • Click create VPC

  • When the VPC is created, click OK.

Launch A Web Server

  • Switch to the EC2 services & click launch EC2 instance.

  • Choose the Amazon machine image from the AMI list.

  • On the choose instance page select t2 medium ( in my case: I use t2.medium. You can choose the instance type according to your requirement), then click Next

  • On the configuration details page :

  • In the network drop-down list, click VPC you created (10.0.0.0/16)

  • In the subnet drop-down list, click the subnet (10.0.0.0/24)

  • In the Auto assign public IP drop-down list,click enable

  • Expand the advanced details section, paste the script into the user data box.

#!/bin/bash

/usr/bin/yum -y install httpd

/sbin/chkconfig httpd on

/sbin/service httpd start

The above user data script will run at boot and installs http server on your instance

  • Click next, add storage

  • Choose the storage according to your need and click the tag instance.

  • Provide the details key and value in the appropriate box

  • Click next : configure security group

On the security group page :

  • Leave create a new security group selected.

  • In the Security group name box, type Web.

  • Add the following rules in security group, SSH, HTTP, HTTPS from all source

  • Click Review and Launch.

  • Choose the keypair, and launch the instances.

Connect To the Webserver in the Public Subnet

  • Select the webserver instance you just created from the instance list.

  • Click the description tab and locate the Public IP address.

  • Go to the public address in your browser’s address bar. You should see a page similar to the one below

The Diagram Below Shows What You Have Configured above.

Launch a Back-End Microsoft SQL Server

  • Switch to the EC2 services & click launch EC2 instance.

  • Choose the Microsoft Windows Server 2008 R2 with SQL Server image from the AMI list.

  • On the choose instance page select m3 medium, then click Next

  • On the configuration details page :

  • In the network drop-down list, click VPC you created (10.0.0.0/16)

  • In the subnet drop-down list, click the subnet (10.0.1.0/24)

  • Expand the network interfaces section, and in the primary IP box for the eth0 device, type 10.0.1.99

  • Click next, add storage

  • Choose the storage according to your need and click the tag instance.

  • Provide the details, key and value in the appropriate box

  • Click next : configure security group

  • On the security group page :

  • Leave create a new security group selected.

  • In the Security group name box, SQL Server.

  • Add the following rules in security group, 3389 and 1433 from all source

  • Click Review and Launch.
  • Choose the keypair, and launch the instances.

Your network should look like the following diagram. It is not production-ready because the database server is not set up to serve the web server. The NAT will act as a route that allows the SQL server to make outbound calls to the internet in order to download windows Updates, and so on.

There is one other very important item missing from the environment. A second Availability Zone with another web server and a second database server. AWS provides you with access to multiple Availability Zones at no additional cost. The best thing is to mirror servers across two zones and then use load balancing and other techniques in order to distribute traffic among them.

Manually Create Two More Subnets

You need to create a public Subnet and also a private Subnet in another Availability Zone. These will be in same Availability Zone as each other but in a different Availability Zone from the first you created.

  • On the services, click VPC

  • In the navigation panel, click Subnets, and then create subnet.

  • Set the following values in create subnet box

  • Name tag : Public Subnet 2

  • VPC: 10.0.0.0/16

  • Availability Zone: Select a different Availability Zone than the one used for the previous public subnet.

  • CIDR block: 10.0.10.0/24

  • Click yes, create.

Now create the Private subnet

  • Click on create subnet.

  • Set the following values in the create subnet box

  • Name tag : Private Subnet 2

  • VPC: 10.0.0.0/16

  • Availability Zone: Select the same Availability Zone you just used for Public Subnet 2

  • CIDR block: 10.0.11.0/24, The Click yes, create.

Determine Public Subnet

  • In the navigation pane, click subnets, and then select 10.0.10.0/24 subnet. If more than one subnet is selected, you won’t see the detail tabs.
  • On the navigation table tab, click the blue edit button to change the routing rule set.

  • There is only one choice in the drop-down list that you cannot replace the current routing rules with themselves.

  • Note the new value in the Target column for internet traffic 0.0.0.0/0 –it’s the Internet Gateway (igw)

  • Click save.

Your VPC Should Now Look Like This

Launch a Bastion Windows Host

  • A Bastion host is a computer that is configured to prevent unauthorized network access.

  • You should create your bastion host in your public subnet.

  • Switch to the EC2 services & click launch EC2 instance.

  • Choose the Microsoft Windows Server 2008 R2 Base from the AMI list.

  • On the choose instance page select t2.small ( Again it’s your choice) then click Next

  • On the configuration details page :

  • In the network drop-down list, click VPC you created (10.0.0.0/16)

  • In the subnet drop-down list, click the subnet (10.0.10.0/24)

  • Click next, add storage

  • Choose the storage according to your need and click the tag instance.

  • Provide the details, key and value in the appropriate box

  • Click next : configure security group

On the security group page:

  • Leave create a new security group selected.

  • In the Security group name box, Bastion Windows.

  • Add the following rule in security group, 3389 from all source

  • Click Review and Launch.

    • Choose the keypair, and launch the instances.

Now that you have a security group for bastion server, change the rules for the database server so that it accepts traffic only from the bastion security group.

  • In the EC2 management console, click the security groups in the navigation pane.

  • Select the Bastion Windows server security group to view the details tab.

  • Copy the value of Group ID to your clipboard

  • Select the SQL server security group, and then click Inbound Tab Click Edit, and then click delete icon (x) to remove the rule for port 3389 (RDP)

  • Create a new 3389(RDP) rule that is restrict to the Bastion Windows security group.

  • Click add rule, and then, in the source box, paste the security group ID you copied before.

  • Click save.

In order to use the bastion server, you will need a public IP. Once assigned, the address will appear as part of the details for the bastion host.

  • In the navigation pane , click Elastic IP

  • Click on allocate new address.

  • Click yes, allocate, and then click close.

  • Right click the new address dialog box, click in the instance box, and then click your Bastion windows host instance.

  • Click associate

Retrieve your Windows Password

  • Go to the EC2 console

  • In the navigation pane, click instances

  • Right click the bastion host instance, and then click get windows password.

  • Click choose file, and then navigate to the EC2 pem file that you downloaded.

  • click Decrypt the password

  • Make a note of Elastic IP , Username and password.

  • Click close.

Connect To the Bastion Server

  • Start the RDP client in your local PC

  • Provide your Bastion server credentials to connect and then click OK

  • Click yes if you see a certificate verification message

  • Proceed the section

Login to the Database Server

Using previous steps as a guide, retrieve the password for the SQL server instance.

  • Switch to your Remote Desktop Client session.

  • In the remote session, click start, click run, type mstsc, and then press enter to start Remote Desktop Connection.

  • Provide your SQL server credentials to connect and then click OK

  • Click yes if you see a certificate verification message

  • Now you are connected to the SQL server.

Your connection will look like as shown in the following Diagram.

That’s it. You can now start deploying your highly available application in a secured environment.

Nagaraj Guruswamy

Nagaraj leads a team of engineers at Powerupcloud who manage infrastructure and DevOps for a variety of customers. Nag is as adept at VMWare/OpenStack/HyperV as he is at AWS/Azure/Google Cloud

comments powered by Disqus