Assessment 2: Cloud architecture and security

Overview

The objective of this exercise is to launch an EC2 instance and provision the right AWS
resources to enable it host a webserver. Besides, a separate RDS instance is set up and connected
to this EC2 instance for convenient management. These work together to enable a webserver to
he hosted on the Amazon cloud. In the course of achieving this task, the following concepts and
principles are demonstrated:

i. Network security: VPC and EC2 security groups, password and key management, and
access control lists.
ii. Networking & service integration: remote access with clients like Putty and accessing the
database instance through the EC2 server.
iii. AWS specific concepts like regions, availability zones and machine images.

Task 1: Setup

This task is mostly about setting up the VPC, security group, and key pairs. This begins from the
learning portal where I launch the lab
The AWS button then redirects to the AWS web console from where I will access the various
network, compute and storage resources, and where I will piece together the solution.

To comply with a later requirement, I switch to the region of Asia Pacific West 2 (Sydney). This
region defines some AWS resources like virtual machines and security keys.

What follows then is creating the VPC, which houses all of the resources that will be assembled
in the coming steps.
The VPC is created, indicating the VPC ID, the IPv4 subnet and pool and other options like
DNS, which for now is not needed.

Next, I edit security groups for the VPC. The most important rules are inbound rules, which
defined the traffic coming into the VPC and thus, which service to be allowed from where.

Inbound rules
The a2VPC security group is then updated

The SSH key pair is created in Task 2, which is created along with the virtual server

Task 2: Setup

I choose to go with the Amazon Linux 2023 virtual machine, which is available from QuickStart.
The VM is Linux based and has a familiar filesystem like Gentoo
As part of the creation process, I define a new key pair, which will be stored in the same region
as the EC2 instance. And because I will be accessing it with a Windows machine via Putty, I
choose the .ppk format

I then chose the existing security group that allows HTTP and SSH, as defined in Task 1
The instance is successfully launched. By default, it comes with a public IP address, but this
address changes every time the instance is rebooted
To give my instance a permanent IP address, I creating one via elastic IP which picks an address
from the AWS pool

After creation, the Elastic Ip has to be associated to the instance

IP address successfully allocated

While creating the server is complete, it will boot into the default blank screen. But because this
is a web server and needs to serve a web page on boot, I use a CloudFormation template to pre-
define the landing page.

This is made possible by writing some code into the default HTML page of the Apache web
server

This is the template, supplied with the machine AMI ID and location of homepage
The stack runs the update on the instance soon after booting, such that by the time we access the
public IP, the web page is already available

And using just the static (Elastic) IP, the web page opens with the required text
That done, if we need to access the instance from the default IP, I simply dissociate the elastic IP
with the instance

Accessing the instance using the default public IP address

Still, the same web page is displayed regardless of the way we accessed it

Accessing the webpage with PUTTY

From my windows machine, I specify the server IP and SSH port number into Putty
Besides the two, I also specify the SSH key pair that was generated during instance creation.
And because the ec2 instance is being accessed by my PC for the first time, it validates the
integrity of the host. From here, I can cache the key so that my PC connects automatically on
subsequent requests

Then, the log in is successful;

It displays the same text in its location. The “landing page” was simple text in the
/var/www/html directory

Task 3: Working with Data

Created a MySQL database. Due to its simplicity, I chose to go with mySQL. The latest version
(8) is installed

I set up the database as test, which simplifies the features I need to configure on it
I use a standalone DB instance, with auto-generated password

The DB is also a single instance, because I only need to access it from one availability region. If
this was a production database server, I would have enabled multi-instance for high availability.

The DB is then connected to the EC2 instance earlier created. The default VPC is also chosen
The DB also belongs to the default security group, and will not be assigned a public IP address.
This means that on its own, the database can be accessed independently. If this option is not
enabled, the database can only be accessed internally through an internal resource like an EC2
instance
The VPC and security group chosen are those hosting the web server above

Credentials managed individually.

I intentionally turned off AWS secrets manager because it would interfere with creating read
replicas
The DB is created. On its homepage are details like the version and class of the virtual image.
For this case, it is an M6GD Large.

As earlier stated, the DB will be accessed by the web server. This explains the need to connect
the EC2 instance
The connection setup successfully and now data can be read from the web server into the
database by specifying the DB endpoint and security credentials

For high availability, I create a read replica

The region is still Sydney

The read replica has very much similar profile, except for unique elements like ID
Successfully created the read replica

Added a rule to the security group to allow accessing RDS from EC2
Installed MySQL dependencies in the ec2instance. This is the client that communicates with the
MySQL server in the RDS db

Installed mysql
Successfully logged into the primary database

Deleting the primary DB so that I can access the read replica

The database is backed up using the read replica

Logged into the read replica

Take note of the different endpoint of the replica

Conclusion

The exercise demonstrates that I have set up a web server and a database in AWS. I have
connected the two so that web users have their data stored and served from the MySQL database
in RDS.