Deploy a Production-Grade 3-Tier Architecture on AWS | CloudFront, ALB, ASG, EC2, RDS, CloudWatch - Part 1

Gabin SimeGabin Sime
6 min read

In this project, we will architect and deploy a robust, production-grade 3-tier infrastructure on AWS. Leveraging services such as CloudFront, Application Load Balancer (ALB), Auto Scaling Groups (ASG), EC2, RDS, and CloudWatch, we will create a secure, scalable, and highly efficient environment within a Virtual Private Cloud (VPC). This solution is tailored to support dynamic web applications, ensuring optimal performance, reliability, and resilience.

Tool stack overview

Route53
AWS Route53 is a scalable and highly available Domain Name System (DNS) web service that provides domain registration, DNS routing, and health checks for applications.

CloudFront
AWS CloudFront is a fast content delivery network (CDN) that securely delivers data, videos, and applications to users globally, reducing latency by caching content at edge locations.

AWS Certificate Manager
AWS Certificate Manager (ACM) simplifies the process of provisioning, managing, and deploying SSL/TLS certificates for secure website and application connections.

CloudWatch Alarm
AWS CloudWatch Alarm monitors metrics and triggers actions (e.g., sending notifications or auto-scaling) based on defined thresholds to help maintain application health.

CloudWatch Logs
AWS CloudWatch Logs enables real-time monitoring, storage, and analysis of log data from applications, systems, and AWS resources.

RDS MySQL
Amazon RDS MySQL is a managed database service that simplifies the deployment, scaling, and maintenance of MySQL databases in the cloud.

EC2
Amazon EC2 provides resizable compute capacity in the cloud, allowing users to run virtual servers and scale resources as needed for applications.

Application Load Balancer
AWS Application Load Balancer (ALB) distributes incoming application traffic across multiple targets (e.g., EC2 instances) to ensure high availability and performance.

NGINX
NGINX is a high-performance web server, reverse proxy, and load balancer, widely used to handle high traffic and optimize application delivery.

PM2
PM2 is a Node.js process manager that simplifies application deployment, monitoring, and management, ensuring reliability and performance.

Node.js
Node.js is a JavaScript runtime built on Chrome's V8 engine, enabling developers to create fast, scalable server-side and networking applications.

React
React is a popular JavaScript library for building interactive and dynamic user interfaces, primarily for single-page web applications.

Step-by-Step Breakdown of Our Highly Available and Scalable 3-Tier Architecture

1️⃣ Establishing the AWS Cloud Environment

The foundation of our solution starts with defining a secure and scalable AWS cloud environment. This involves creating a Virtual Private Cloud (VPC) that ensures network isolation and provides a structured deployment environment for all application components.

  • The VPC is configured with private and public subnets to segregate workloads.

  • A NAT Gateway is deployed to allow private instances to access the internet securely for updates.

  • Security Groups and Network ACLs are used to enforce traffic restrictions and segmentation.

2️⃣ Configuring High Availability & Network Segmentation

To enhance fault tolerance and availability, we distribute resources across two AWS Availability Zones (AZs). Each AZ will have three subnets to separate different layers of the application:

  • Public Subnet – Hosts the presentation tier for handling external user traffic.

  • Private Application Subnet – Hosts the backend application services, ensuring isolation from external threats.

  • Private Data Subnet – Houses the database for enhanced security and resilience, restricting external access.

3️⃣ Data Tier: Ensuring High Availability and Durability

  • Amazon RDS MySQL is deployed with Multi-AZ replication to ensure redundancy and minimize downtime.

  • The Primary RDS instance resides in AZ-1’s private data subnet, while a Standby instance is placed in AZ-2’s private data subnet.

  • This ensures automatic failover, meaning if the primary instance fails, AWS RDS will seamlessly transition operations to the standby instance, ensuring minimal downtime.

  • Automated backups, snapshots, and point-in-time recovery are enabled to prevent data loss.

4️⃣ Application Tier: Scalability & Performance Optimization

To handle fluctuating demand, we deploy an Auto Scaling Group (ASG) that dynamically manages EC2 instances across multiple AZs, ensuring:

  • Automatic resource optimization based on real-time traffic, adjusting capacity dynamically.

  • Load balancing across instances for high availability and performance, leveraging AWS Elastic Load Balancing (ELB).

  • Each EC2 instance runs Node.js, managed by PM2 to ensure process reliability and seamless restarts.

  • An internal Application Load Balancer (ALB) is used to distribute traffic within the application tier efficiently.

  • IAM Roles and Policies restrict access to necessary AWS services only, ensuring security best practices.

5️⃣ Presentation Tier: Managing External Traffic & User Access

To efficiently manage user traffic and serve the frontend application:

  • A second Auto Scaling Group (ASG) ensures the presentation tier remains highly available across AZs.

  • A bastion host is deployed outside the ASG for secure administrative access to private resources, reducing attack surface exposure.

  • Each EC2 instance within this tier serves as an endpoint, running NGINX to deliver the React.js frontend, improving request handling and caching static content.

  • The presentation tier EC2 instances only accept traffic from the internet-facing ALB, ensuring a structured security posture.

6️⃣ Load Balancing for Scalability & Resilience

To enhance performance and security, we implement a two-tier load balancing approach:

  • Internal ALB – Distributes traffic across backend EC2 instances, ensuring requests are efficiently routed.

  • Internet-Facing ALB – Handles external requests, routing them to the presentation tier instances securely.

  • Sticky Sessions and Connection Draining are enabled for improved user experience and stability.

7️⃣ End-User Connectivity & Secure Access

To ensure secure communication and reliable domain resolution:

  • Amazon Route 53 is used for domain name resolution, ensuring proper traffic routing and failover mechanisms.

  • An SSL/TLS certificate is procured via AWS Certificate Manager (ACM) for secure HTTPS connections, enforcing end-to-end encryption.

  • AWS CloudFront is integrated as a Content Delivery Network (CDN) to encrypt data in transit and accelerate content delivery to end users by caching content at edge locations, reducing latency.

8️⃣ Observability, Monitoring & Cost Efficiency

To optimize performance, manage scaling, and ensure operational efficiency:

  • Amazon CloudWatch is integrated for real-time observability, logging, and monitoring across all tiers.

  • CloudWatch Logs store application logs for debugging and performance tracking, ensuring detailed insights.

  • CloudWatch Alarms trigger auto-scaling actions, dynamically adjusting resources based on demand and predefined metrics such as CPU utilization and memory consumption.

  • AWS Systems Manager (SSM) is implemented to provide remote access to instances without exposing SSH ports, enhancing security.

  • Auto-scaling ensures cost efficiency by scaling out during peak loads and scaling in during low traffic periods, preventing over-provisioning and reducing AWS costs.

  • AWS Trusted Advisor is used to continuously monitor best practices and cost optimizations, providing recommendations on performance, security, and fault tolerance.

Final Outcome

With all these components in place, we achieve a highly available, fault-tolerant, and secure 3-Tier Architecture on AWS. This design ensures:

  • Seamless user access via HTTPS with optimized performance and global delivery through CloudFront.

  • Automated failover & scaling, ensuring high availability without manual intervention.

  • Cost-efficient resource utilization through intelligent auto-scaling mechanisms and serverless operational insights.

  • Comprehensive security controls across all tiers of the infrastructure, enforcing least privilege principles, encryption, and network segmentation.

0
Subscribe to my newsletter

Read articles from Gabin Sime directly inside your inbox. Subscribe to the newsletter, and don't miss out.

3-tier-architecture

Written by

Gabin Sime
Gabin Sime

Hello, tech aficionados! I'm Gabin Sime, a tech enthusiast on a relentless quest for knowledge and a mission to spread the DevSecOps gospel. Though my professional journey might not boast a lengthy track record, my zeal for learning and teaching is boundless. In today's digitally driven landscape, security reigns supreme, and my focus is on unraveling the secrets of securing software—a skill set of unparalleled importance. Join me on an odyssey where we'll delve into the thrilling universe of DevSecOps, navigate the waters of containerization with Docker and Kubernetes, and unravel the complexities of CI/CD pipelines using Jenkins just to name a few. I extend an invitation to co-pilots ready to learn and explore with me. Together, we'll not just acquire skills but also unravel the nuances of developing and fortifying software. So, buckle up for this educational escapade as we embark on a journey of collective discovery.