AWS Tier 3 Architecture with Terraform
Architectural Diagram
This project implements a highly available, secure, and production-ready 3-Tier Architecture on AWS using a modular Terraform approach.
User send a request our URL to the Internet Gateway.
We setup a external load balancer to distribute the load across multiple virtual machine in different availability zones.
We use Bastion host for privacy and security.
Access is maintained with Private Subnets. Both the frontend and backend are hosted on a private subnet thus creating a secure system.
The database are replicated for backup.
The infrastructure is designed to be fault-tolerant and scalable, spreading resources across two Availability Zones (AZs). It separates the presentation, application, and data layers into distinct network tiers.
1. Network Layer (VPC Module)
The foundation is a custom VPC with a multi-subnet strategy:
Public Subnets: Host the Internet Gateway, NAT Gateways (for outbound traffic from private instances), and a Bastion Host (jump box) for secure SSH access.
Frontend Private Subnets: Host the public-facing Web servers.
Backend Private Subnets: Host the Internal API servers.
Database Isolated Subnets: A dedicated tier for the RDS instance with no internet access.
2. Traffic Flow & Load Balancing
The setup uses two Application Load Balancers (ALBs) to manage traffic:
Public ALB: The entry point for users. It listens on port 80/443 and distributes requests to the Frontend ASG.
Internal ALB: Acts as a bridge between the Frontend and Backend. The Frontend communicates with the Backend API (port 8080) via this internal balancer, enabling service discovery and preventing exposure of the backend to the internet.
3. Compute Tier (ASG Modules)
Both the Frontend (Node.js) and Backend (Go) are deployed using Auto Scaling Groups (ASG):
Containerized Deployment: Instances are bootstrapped via User Data scripts that automatically install Docker, pull the latest images from Docker Hub, and launch them as containers.
Self-Healing & Scaling: The ASGs use Target Tracking Scaling Policies to maintain average CPU utilization at 70%. If an instance fails a health check, the ASG automatically replaces it.
Robust Bootstrapping: The script includes advanced logic to wait for DNS resolution and database connectivity before starting the application, ensuring a smooth cold start.
backend_user_data.sh
4. Data Layer (RDS Module)
The data tier uses Amazon RDS for PostgreSQL:
Security: The database is located in isolated subnets and only accepts traffic from the Backend Security Group on port 5432.
Secret Management: DB credentials are NOT hardcoded. Terraform generates a random password and stores it in AWS Secrets Manager. The backend application retrieves these credentials at runtime using the AWS CLI.
5. Security & Observability
IAM Roles: Instances are assigned IAM roles with the Least Privilege principle, allowing them only to fetch secrets and send logs to CloudWatch.
Monitoring: CloudWatch Agents are installed on all EC2 instances to capture custom logs (like ) and system metrics (CPU/Memory).
user-data.logSecurity Groups: A "chaining" security model is used. For example, the Backend Security Group only allows ingress from the Internal ALB Security Group.
Post Work Output
Application is healthy and running:
Checking the RDS database:
Load balancer:
Auto scaling groups:
Connecting to Bastion host:
From Bastion host login to the frontend ec2 server using ssh. We use the private IP of the instance (the instance is running on a private subnet for security).
The entire setup is configured on the setup.md file in the directory. here
Video reference:
Arigato!