In cloud infrastructure, Virtual Private Clouds (VPCs) are used to create isolated network environments. A 3-tier architecture is a popular way to organize applications by splitting them into three layers:
Presentation tier: It usually includes web servers or front-end apps such us, NAT gateways, Application Load balancers and Bastion Host (Jump servers)
Application logic: The middle tier processes application logic, handles business rules and communicates with the presentation and data tiers. This tier often includes application servers (EC2 Instances).
Data Tier: This tier stores and manages data used by the application. It commonly involves databases or storage services.
Building a custom 3-tier VPC gives you more control over your network, security, and scalability.
This guide will show you how to create a 3-tier VPC on AWS through the management console.
To create this VPC, log into the management console https://aws.amazon.com/console/
Select the region in which you want to create your VPC. According to our reference architecture, this VPC should be in the US East (N. Virginia) region. (us-east-1)
To change your region, select the dropdown button in the top right navigation pane in the management console, then make sure you choose, Us-east (Northern Virginia).
After setting your region, type VPC in the search box, then select VPC under services.
In the VPC dashboard, select VPC’s Then click Create VPC.
Under VPC settings, select VPC only then give your VPC a name, and call it prod-VPC.
Leave it on the IPv4 CIDIR block.
Under IPv4 CIDIR, enter Your CIDIR block. According to our reference architecture, it is 10.0.0.0/16. leave it at no IPv6 CIDIR block, tenancy leave the default, tags optional. Then click Create VPC.
We have successfully created our VPC.
NOTE: You can see all the VPCs in your account by selecting the filter by the VPC search box, as shown below. Once you filter by a particular VPC, you will only see the information on that VPC.
Next, is to enable the DNS hostname, for the VPC we have just created.
NB: DNS options.
If you need public IPv4 DNS hostnames for the EC2 instances launched into your subnets, you must enable both of the DNS options.
To enable the DNS hostname in your VPC, make sure you’ve selected the VPC you’ve just created then select the actions drop-down button, then select edit VPC settings.
On the edit DNS hostnames dashboard, check the box on enable DNS hostname then click save changes.
Next is to create an internet gateway to allow resources in the VPC to communicate with the public. On the left side of the VPC dashboard, select Internet Gateway, then click Create Internet Gateway.
In the Create Internet gateway dashboard, under name, give your Internet gateway a name.
Leave tags as optional then click Create Internet Gateway.
You have successfully created an internet gateway.
Next, we will attach the Internet Gateway to the VPC we just created. To attach an internet gateway to a VPC, click the attach to a VPC.
Under available VPC’s, click in the search box and select your prod-VPC. Remember only the VPC that does not have an Internet Gateway attached to it in your account will show up.
You can only attach one internet gateway, to a VPC. We just created this prod VPC and we haven’t attached any internet gateway to it, that’s why it’s the only VPC that is showing there. Select it, then click Attach Internet gateway.
We have successfully attached an internet gateway to our prod VPC.
If you look at the Internet gateway, the state is attached, and the VPC it is attached to is the prod VPC.
Next, is to create our public subnets in the first and the second availability zones, as shown according to our reference architecture. On the VPC dashboard on the left side of the VPC UI, select subnets.
Am still filtering my VPC, by the prod VPC, that’s why we are not seeing subnets because we have not created any subnet in that VPC. We will create our first and second public subnets in this VPC. Click Create Subnet.
In the Create subnet dashboard, Select the drop-down button and select prod-VPC. Scroll down.
In the subnet settings sections, enter the details of your subnets, under name, call it public subnet az1, under Availability zone select the drop-down button and select us-east-1a, for IPv4 subnet CIDR block, enter 10.0.0.0/24. Then scroll down and click Create Subnet.
Again let’s create the second public subnet, click Create Subnet.
Select the VPC to create the subnet, and select the prod VPC.
Fill in the subnet name, public subnet az2, under Availability zone, we will create this subnet in us-east-1a, for the IPv4 CIDR block, type in 10.0.1.0/24, these are the only settings we need to scroll down and click create subnet.
Success, we have created our two public subnets.
Next is to enable auto-assign IP settings, this is to make sure that any Instance launched in our public subnet is automatically assigned a public subnet. Select the first subnet then select the actions drop-down button. Click edit subnet settings.
In the edit subnet settings dashboard under the auto-assign IP settings section, check the box next to enable auto-assign public IPv4 address then click save.
We have successfully changed the subnet settings.
Again for the second public subnet in the second availability zone, select it then Click the action drop-down button then select Edit subnet settings.
In the edit subnet settings dashboard, under the auto-assign public IP settings section, check the box next to enable auto-assign IPv4 address then click save.
You have successfully changed subnet settings.
Following our reference architecture, we will now create a route table. On the left side of the navigation pane on the VPC dashboard, select the route table.
Click Create Route Table.
Inthe Create Route Table dashboard, under name call your Route Table public Route Table. Under VPC, select the drop-down button and select your prod-VPC then click Create Route Table.
Route table successfully created.
If you go to the routes tab, it is showing local, which means it is only routing traffic locally within the VPC. This is because we have not associated this route table with any route. Let’s add a public route to this route table. To add a route to the route table, make sure you are in the routes tab, then click edit routes then click add route.
To add a route that routes traffic to the internet to this route table, under destination, click in the search box and type 0.0.0.0/0 then select it, under target click in the search box a gain then select your internet gateway.
Once you’ve selected the internet gateway, the internet gateway you have in your VPC will show up, Select it then click save changes.
The public route has been updated successfully.
Next, is to associate our two public subnets with the public route table. Make sure you are still in the public route table, then move to the subnet associations tab. Once in the subnet association tab, click edit subnet associations.
You will be brought to the subnet association dashboard, here select the two subnets, public subnets az1 and az2 then click save associations.
Finish creating your VPC. Proceed to create the four remaining private subnets. To create the private subnets, on the left side of the VPC dashboard, select subnets.
It is still filtering by my vpc, and currently, I have two subnets. We will strictly follow our reference architecture. Click Create Subnet.
In the create subnet dashboard, under VPC, select the drop-down button and select your prod-VPC. Scroll down.
Under the subnet name, enter private app subnet az1, under the availability zone, select the drop-down button and select us-east-1a, under IPv4 subnet CIDR block enter 10.0.2.0/24. Then scroll down at the bottom and click Add New Subnet.
This will be our second private subnet, call it private app subnet az2, and select us-east-1b under availability zone, for subnet CIDR, enter 10.0.3.0/24,
Again click add new subnet.
Under name call it private data subnet az1, for availability zone, select us-east-1a. Subnet CIDR, enter 10.0.4.0/24 and again click add new subnet.
Enter private data subnet az2, select us-east-1a, and subnet CIDR, enter 10.0.5.0/24, scroll down, and click create a subnet.
We have successfully created the four private subnets.
Remember the first two subnets we created were associated with the public route table.
The four private subnets have not been explicitly associated with any route table and hence will be associated with the main route table.
When you create a VPC, a route table is created for you by default, and it is called the main route table.
Click the route table then select the main route table.
Navigate to the subnet association tab, for explicit subnet association we can see there are no subnets, then reading the sentence for subnets without explicit association, we can see our four private subnets.
This brings us to the end of this lab.
Conclusion
In conclusion, creating a custom 3-tier VPC on AWS allows for better control over your network, by separating the application into presentation, application logic, and data tiers, you ensure a more organized and efficient cloud environment.
By following the steps provided, you will be able to create a scalable VPC architecture that organizes your application into separate tiers, ensuring improved control, security, and flexibility on AWS.
Make sure to clean up.
Thanks for reading and stay tuned for more.
If you have any questions concerning this article, please don’t hesitate to reach out to us at whizlabs.com
Thank you!
A skilled Cloud DevOps Engineer and Solutions Architect specializing in infrastructure provisioning and automation, with a focus on building scalable, fault-tolerant, and secure cloud environments.