Scenario 1. Run a website live on a domain on https.

For this scenario, you need to own a domain name. You can either purchase it from aws route53 service or you can get a
cheap domain for 25 Rs/- from here https://client.googiehost.com/index.php?rp=/store/free-hosting/free-hosting .
Create an account on this site and register a free domain. Remember premium top level domains like .com, .gov, .in are
not free or cheap. Assuming you have registered a domain name “awspractice.xyz”. will refer it below.

AWS Services to be used for AWS practice:

VPC, NatGateway, InternetGateway, RouteTables, Public & Private Subnets, IAM, Cloudwatch Alarms, SNS ALB with
HTTP and HTTPS, TargetGroup, Route53, EC2, AutoScaling, , SecurityGroup, AMI, AWS-EFS, ACM, S3

RDS is not used in this practical because we are using a basic website. But if you use a wordpress site instead of basic
then you can add RDS too in this practical.

AutoScalingScheduledActions is also not used because we are using another type of autoscaling which is target tracking
policy. You can use it to increase/decrease no of servers on a particular time period i.e morning 9 amd to 8Pm on mon
to fri.

VPC, Subnets, IGW, NAT-GW, RouteTables Section.

1. Create a VPC in ap-south-1 region with name – prod-vpc. VPC range must be 10.0.0.0/16.
2. Create 2 subnets in ap-south-1a AZ with name prod-public-1a, prod-privte-1a , and 2 subnets in ap-south-1b
with name prod-public-1b, and prod-private-1b.
a. Subnet CIDR blocks [10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24]
3. Create an InternetGateway with name prod-IGW attach it to the vpc.
4. Create and Nat Gateway with name prod-NATGW.
5. Create two route tables with name prod-public-RT and prod-private-RT.
6. Add a new rule in the public route table to allow all connections (0.0.0.0/0) to route through prod-IGW
7. Add a new rule in the private route table to allow all connections (0.0.0.0/0) to route through prod-NATGW
8. Attach the public route table to the public subnets and private route table to the private subnets created in the
question no 2.
9. Enable dns and hostname settings in the VPC.
10. Enable auto-assign public IP in the public subnets.

Security Groups

1. Create 4 security groups with name webapp-SG, alb-SG and database-SG and bastion-SG and efs-SG.
2. Allow port no 2049 in efs-SG to allow connections from webapp-SG security group.
3. Allow your public ip in the bastion-SG to connect on port 22
4. Allow bastion-SG id in the webapp-sg SG for port 22(SSH)
5. Allow alb-SG id in the webapp-sg for port 80 in the webapp-SG
6. Allow https (443) and http (80) connections for all (0.0.0.0/0) in alb-SG.
7. Allow connections on 3306 port form webapp-SG id.

Key Pair

Create two key pairs with name webapp-key and bastion-key.

EFS
Create an Elastic File system. Remember to select both private subnets you created above while creating the EFS.

Select the efs-SG security group for this EFS.

This EFS will have the website code. This EFS will be shared across all the instances we will use to run our website. For
example, we set the server count to 4 in the auto scaling group then all 4 servers will have this shared EFS with the
website code already inside it. To store the website code in the EFS follow the next section.

App Server AMI

This section is to create a golden AMI or App AMI or Base AMI

Deploy a temporary EC2 server of Amazon Linux 2 in any of the public subnet. Login into the server and run the below
commands on the server:

-------------------
1 #!/bin/bash
2 yum update -y
3 yum install httpd –y

4 yum -y install nfs-utils # Command to install nfs client to mount EFS storage later

##: rename DNS-NAME-OF-EFS with the EFS DNS name##

5 mkdir /temp-dir

6 mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport DNS-NAME-OF-

EFS:/ /temp-dir
7 cd /temp-dir
8 wget https://www.free-css.com/assets/files/free-css-templates/download/page288/global.zip

9 unzip global.zip
10 cd global-master
11 mv * ../
6 systemctl start httpd
7 systemctl enable httpd

-------------------

After successfully installing the apache web server and storing the website code in the EFS shared storage, create the
AMI of this temporary server with name WordPress-GoldenAMI. Delete this server after creating the GoldenAmi for
your WordPress site.

S3 Bucket
Create an S3 bucket with any name. let’s say you created bucket with name my-live-site. We will use it to back up the
site every day and store into the S3.

IAM Role

Create an IAM role with name prod-EC2S3Access. Attach the policy S3FullAccess to this role.

EFS

Create an Elastic File system. Remember to select both private subnets you created above while creating the

EFS. Select the efs-SG security group for this EFS.

ALB

We need to create one more component call TargetGroup for the ALB.

TargetGroup

Create a target group with name prod-TG. Select target group port as 80(incoming traffic), protocol as HTTP and
prod_VPC as vpc.

Health Check Settings of the target group:

    Interval = 6
    path = /
    timeout = 5
    matcher = 200
    healthy_threshold = 2
    unhealthy_threshold = 3

Create an application Load Balancer with the name prod-ALB with the below settings

Type: internet facing

security_groups = alb-SG
subnets = select both public subnets you created above. If you select private subnets for the ALB, your ALB will not be
reachable through public internet.
deletion_protection = false/true as you wish.
ALB Listener settings: To forward all incoming connections to the target group.
Port = 80, protocol “HTTP”, default action: Forward --> TargetGroup

SNS – To receive notifications related to any service and events occurring in the
infrastructure.
Create an SNS topic with name prod-sns. Create a subscription of type EMAIL and put your email ID in the subscription.
You will receive a confirmation email if you want to receive notifications from the topic you created. Click on subscribe
notification.
AutoScaling Group
LaunchTemplate
Create an LaunchTemplate with the following values:

name = prod-LT

description = "Launch Template for the prod app servers"

image_id = put the golden AMI id here which is created in the above AMI section.

instance_type = t2.micro

security_group = select the webapp-SG created in the above security group section.

key_pair = select webapp-key created in the above

NOTE: Below user data will be run on every server at the time of booting. Rename DNS-NAME-OF-EFS with the EFS
DNS name. Copy EFS dns name from EFS console and paste it in the Userdata below:

------------------

#!/bin/bash

mkdir /html

mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport DNS-NAME-OF-

EFS:/ /var/www/html

wget https://www.free-css.com/assets/files/free-css-templates/download/page288/global.zip

unzip global.zip

cd global-master

mv * ../

------------------

AutoScaling Group

name = prod-ASG

desired_capacity = 0

max_size =4

min_size =0

vpc = prod-VPC

target_group = created in the ALB section

health_check_type = ELB
health_check_grace_period = 60

Launch Template = select the recently created launch template’s id and set the default as later version

AutoScaling Policies

In order to test AutoScaling and learn about scaling policies, we will create a policy for CPUUtiliaztion and we will put
a high load on the server using linux commands. The load will trigger alarms and it it will scale in/out the servers.

Option 1. Create a target tracking policy which means you just specify the threshold for the CPU like 75% or 80% then
the AutoScaling group will itself create two alarms HIghCPU and LowCPU. Based on these two alarms AutoScaling will
take place in case of high and Low CPU. Add you SNS topic in the tracking policy

Option 2.

Create Simple scaling policy. This type of policy requires two policies, one for high and one for low.

NOTE: We will perform the practical with target tracking policy

DNS management (Route53)

For this you must have a domain name as mentioned at the first page of this document. Lets say you registered a
domain with name awspractice.xyz. Once you have a domain name from the googiehost site you need to map it with
AWS route53.

Go to route53 and create a public hosted zone with the same domain name awspractice.xyz. After creation, you will
have a list of 4 NS records also called as nameservers. Name servers are the point where your users DNS queries will
resolve. Login into the googiehost account and go to DNS management and select “Use Custom Nameservers” or “Add
Nameservers”. You will see a new windows and here you need to copy the NS records of route53 and paste it in the new
window. We are doing this to tell the googiehost dns service to route users request of DNS queries to AmazonRoute53.

After updating the custom Nameserver in the googie host, go to route53 again and add a New “A” record. Type your
domain name here, select Alias->Yes, click on blank box below and select you ALB you created above. Save the record.

Now you domain to ALB mapping is done. Below it the request flow from a user system to Route53:

User typed awspractice.xyz-> request routed to googiehostDNS service -> googiehost nameserver is pointing to
Route53 Nameserver -> request will be transferred to route53 -> route53 will read the domainname and then request
will be forwarded to ALB.

ACM (Amazon Certificate Manager.)

Follow this amazing 4 minutes tutorial to request a free SSL certificate from Amazon
https://www.youtube.com/watch?v=Ge-dkZgqLKg&ab_channel=Serverless
ALB HTTP and HTTPS(SSL setup)

HTTP setup

Click on ALB -> you will see a HTTP listener which will receive the user requests on port 80. Edit the listener and insert a
rule -> select hostbased -> type awspractice.xyz -> in the actions click on redirect to TargetGroup -> select the target
group from the list you created above. This setting means that all request coming on port 80, if the URL contains
awspractice.xyz then route it to the target group which is running servers having our website.

HTTPS setup

Click on ALB again and create a new listener for the port 443(HTTPS). Click the dropdown menu and select forward to
the target group. Select the target group. Leave the security policy as it is. Select the SSL certificate you created above
from the drop down list.

NOTE: This combination which we created above will always redirect the request on HTTPS, which is recommended.
That is why we chose to redirect on 443 first and forward on 80

Once you create the above two configurations, you can test your website “awspractice.xyz”. You will have your running
website on https.

AutoScaling testing

Login into bastion server and from there login into your web server. Run this command on one of the web server you
login into: cat /dev/zero > /dev/null

This command will generate high cpu load and it will trigger autoscaling. Open one more terminal and login into the
same web server to check the cpu load. Run top command on the same server to check cpu load. Once you see
autosclaing performing, you can kill the cpu load increasing command with the pid: kill -9 pid_of_cpu_load_process
EC2 – This individual EC2 we will use as a Bastion server. Bastion server is the server through which we take SSH access
of EC2 server. Bastion is just a term. It is not a special kind of a server, it’s a standard ec2 machine.

Launch this EC2 in any of the public subnet you created in the VPC section and attach the bastion key pair to it. Attach
bastion-SG security group to this EC2 server.