Deploying a secure and scalable web application on AWS may seem challenging, but with proper guidance, it’s achievable. This article follows a structured approach to set up a fully functional web server using AWS services like Amazon VPC, IAM, EC2, and Systems Manager.

Step 1: Design Your Architecture
Before jumping into implementation, take a moment to review the architecture diagram for your web application. It will guide you as we configure each AWS service.

Key points:

1. Create a VPC and Subnets

An Amazon VPC is a logically isolated virtual network you define, allowing you to launch AWS resources in a secure, isolated environment. We'll use the VPC wizard to quickly set up the entire virtual network for our web server, including subnets, routing, and other resources.

1. Set Up Security Groups

Security groups control inbound and outbound traffic for associated resources, like servers. Your VPC comes with a default security group, but you can create additional groups with custom inbound and outbound rules.

We'll create two security groups to secure our website. One will protect the resources in the public subnets, allowing only the necessary traffic. The other will specifically secure the web server instance.

1. Configure IAM Roles

AWS Identity and Access Management (IAM) is a service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.

We'll configure IAM to tightly control which AWS resources our web server can access, granting only the necessary permissions.

1. Launch an EC2 Instance Amazon Elastic Compute Cloud (Amazon EC2) provides on-demand, scalable computing capacity in the Amazon Web Services (AWS) Cloud. Using Amazon EC2 reduces hardware costs so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage.

In the following section, we'll deploy our web server using Amazon EC2.

1. Manage Instance with AWS Systems Manager

Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises servers, and virtual machines (VMs).

We'll use Session Manager to securely access the web server for administrative purposes.

1. Create Application load Balancer

AWS offers several types of load balancers to distribute traffic across your infrastructure.

In this section, we'll be setting up an Application Load Balancer (ALB). With the ALB, we'll be able to route incoming web traffic to our single EC2 web server instance. The load balancer will handle the network configuration and security policies to enable secure communication between clients and the web server.

1. Create S3 Bucket and upload Files on it

Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and performance. Millions of customers of all sizes and industries store, manage, analyze, and protect any amount of data for virtually any use case, such as data lakes, cloud-native applications, and mobile apps.

We'll store files in an Amazon S3 bucket, allowing users to access them directly from the website.

1. Test Your Setup

Browse to the website!

Let’s dive in!

Instructions

Navigate to the AWS Management Console and locate the VPC service.

Click on Create VPC Select VPC and more. This will start the VPC wizard.

**Great job! **You've successfully set up the network infrastructure for our new web server.

Now Browse to the Security Groups part of the Amazon EC2 service.

Now Create two Security Groups here with the following settings

The first one is Security group name Load Balancer Security Group

After defining all the rules click on create

Next, repeat the process to create a Security Group with the following settings.

Make sure to add this rule in the Second Group which is WebserverSecurityGroup

After that Confirm both the security groups have been created.

Great, we've created two new Security Groups to limit traffic to specific ports. We'll be using these later on in the setup.

Now We'll configure IAM to tightly control which AWS resources our web server can access, granting only the necessary permissions.

Create a new IAM role and associate it with the EC2 instance profile for the web server.
Select Roles, then click Create role.

Select EC2 Role for AWS Systems Manager and click Next

AWS Systems Manager is a service that allows you to securely administer and manage your EC2 instances, without needing to access them over the public Internet. This role will grant the necessary permissions for Systems Manager to connect to and manage our web server instance.

Confirm that the AmazonSSMManagedInstanceCore policy has been added to the role and click Next

Congratulations! You've created an IAM role which will be associated with the EC2 instance profile for our web server. This role provides the necessary permissions for the instance to access other AWS resources, as well as allowing secure administration through AWS Systems Manager, without needing to expose the instance directly to the public Internet.

Now we'll deploy our web server using Amazon EC2

Browse to the EC2 service.

Some points to be Remember while configuring EC2

Customers have the flexibility to launch Amazon EC2 instances with a wide selection of operating systems and pre-configured images.
For our simple web server, we'll select the Amazon Linux 2023 AMI (Amazon Machine Image) in the 64-bit (x86) architecture.

Normally, you'd create a key pair to enable secure SSH access to the EC2 instance. But in this case, we'll skip the key pair since we'll be using AWS Systems Manager to connect, rather than direct SSH.
Select Proceed without a key pair (Not recommended)

In Network settings, click the Edit button to configure the EC2 instance's networking. Associate the new instance with the Amazon VPC and private subnet we set up earlier.

Expand Advanced details

. Under** IAM instance profile, choose WebServerInstanceProfile.** This is the instance profile we created earlier, which will allow us to privately connect to the server.

We want the server to run a script on boot that installs the necessary PHP web server components. We can accomplish this by specifying user data.
Enter the code below into the user data field.

!/bin/bash

yum update -y

Install Session Manager agent

yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
systemctl enable amazon-ssm-agent

Install and start the php web server

dnf install -y httpd wget php-json php
chkconfig httpd on
systemctl start httpd
systemctl enable httpd

Install AWS SDK for PHP

wget https://docs.aws.amazon.com/aws-sdk-php/v3/download/aws.zip
unzip aws.zip -d /var/www/html/sdk
rm aws.zip

Install the web pages for our lab

if [ ! -f /var/www/html/index.html ]; then
rm index.html
fi
cd /var/www/html
wget https://ws-assets-prod-iad-r-iad-ed304a55c2ca1aee.s3.us-east-1.amazonaws.com/2aa53d6e-6814-4705-ba90-04dfa93fc4a3/index.php

Update existing packages

dnf update -y

After that Click Launch Instance to complete the configuration and launch the new web server.

Once the instance is launched, you'll see a success message. Click on the underlined Amazon EC2 instance ID to navigate back to the EC2 dashboard.

Excellent work! You've successfully created the web server, leveraging all the foundational components we set up previously.

Now We'll use Session Manager to securely access the web server for administrative purposes.
Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises servers, and virtual machines (VMs).

In the Amazon EC2 dashboard, select the web server instance. You'll notice it only has a private IP address, not a public one.

Now select your EC2 instance and click on Connect

Take a moment to marvel at the web server shell, then proceed to run the following commands:

echo -n 'Private IPv4 Address: ' && ifconfig enX0 | grep -i mask | awk '{print $2}'| cut -f2 -d: && \
echo -n 'Public IPv4 Address: ' && curl checkip.amazonaws.com

Now From the navigation menu, click on the Load Balancers link, then click Create load balancer.

The Application Load Balancer (ALB) operates at the application layer, providing advanced traffic routing capabilities, in contrast to other load balancer options like the Network Load Balancer which functions at the network layer.

Click Create under Application Load Balancer.

Configure the Application load balancer with the following basic and network settings:

A target group defines the targets (e.g. EC2 instances) that the load balancer will route traffic to. Configure the new target group with the following settings:

Select mywebserver and click include as pending below. This will configure the load balancer to route web traffic from the Internet to the EC2 web server instance.

Click Create target group to finalize the setup, then close the browser tab to return to the load balancer configuration.

In the Listeners and routing section, click the refresh button and select the WebServerTargetGroup we just created.

Leave the remaining settings as default and click Create load balancer

Awesome! You have created an Application Load Balancer. For this workshop, it is configured to route incoming HTTP (port 80) web traffic from the Internet to your EC2 web server instance. In a production environment, you would want to configure the load balancer to use HTTPS for secure communication.

Navigate to the Listeners and Rules tab and click on the WebServerTargetGroup link. Verify that there is one healthy target listed.

Initially

Tip

If the load balancer is not fully provisioned or the target group doesn't show a healthy instance, give it a few minutes to sort itself out - it usually takes 3-5 minutes.

Finally there is one healthy target listed.

Now let's locate the public URL for the load balancer. You can find this under the DNS name on the Load Balancer page.

Copy the DNS name from the Load Balancer page and paste it into a new browser tab.

Now paste it into a new browser tab.

The following screen will appear** We have a functioning website!** You can browse to the load balancer's public DNS address from any device. When you do, you'll see the website with options to perform various actions. The first option is related to Amazon S3 storage, so let's continue by provisioning the necessary storage.

Now Browse to the Amazon S3 service.

Give a unique name to your bucket just like in this case I have used awslearningclubmust

Leave the other settings as the defaults, then click Create bucket.

Next, let's upload some files to the bucket. Download the required files,from here
[(https://ws-assets-prod-iad-r-iad-ed304a55c2ca1aee.s3.us-east-1.amazonaws.com/2aa53d6e-6814-4705-ba90-04dfa93fc4a3/UnzipAndUpload.zip)]
unarchive them locally.

Or you can upload your own files

After uploading the objects on your bucket now go your EC2 Connection tester the URL DNS paste it on your browser earlier put your bucket name like in this case awslearningclubmust and your region us-east-1

Click Browse. Interesting, it looks like an error occurred. Can you investigate and figure out what might be causing that?
And as expected you got the following error to access this page.

But don't worry here is the last twist
Browse to the IAM service.

Under Permission policies, click Add permissions and select Attach policies

Search for s3. Select the AmazonS3ReadOnlyAccess AWS managed policy and click Add permissions

Switch back to the website and try using the Amazon S3 bucket object browser again.

Fantastic work! You've completed the full implementation of the web server and S3 integration, showcasing your ability to deploy a AWS-powered web application. This hands-on experience has equipped you with valuable skills in areas like networking, security, compute, and storage.

Test your Knowledge

1. What is an Availability Zone and why use more than one?

An Availability Zone is a group of one or more data centers within an AWS Region. Using multiple Availability Zones provides redundancy and high availability for your resources, protecting against failures in a single location.

1. What's the maximum number of subnets in an Amazon VPC?

The VPC wizard has some limitations, but you can create up to 200 subnets per VPC if needed.

1. **What's the difference between an IAM role and an IAM permission?

**An IAM role is a container that holds IAM permissions, which define the specific allowed actions and resources, to be assumed by trusted entities.

1. What are the key benefits of using AWS Systems Manager to manage the web server instance?

The key benefit of using AWS Systems Manager is the ability to securely manage and maintain the web server instance without exposing management ports to the public Internet, along with a range of other administrative capabilities.

1. What security principle does the IAM setup we just completed aim to follow?

The security principle that IAM and the process we followed adheres to is the principle of least privilege; only granting the minimum permissions necessary for the EC2 instance to perform its required functions.

1. Approximately how many different Amazon EC2 instance types are available?

There are over 800 Amazon EC2 instance types to choose from, allowing you to select the right compute, memory, storage, and networking capabilities to match the requirements of your specific workloads.

What are the default inbound and outbound rules when creating a new Security Group?

By default, a newly created Security Group denies all inbound traffic and allows all outbound traffic.