0

I was hoping someone may be able to explain how I would setup a multi-tiered web application. There is a database tier, app tier, web server tier and then the client tier. I'm not exactly sure how to separate the app tier and web server tier since the app tier will be in a private subnet. I would have the client send the request directly to the app server but the private net is a requirement. And having the app server separated from the web server is a requirement as well.

The only idea I have had was to serve the content on the web server and then the client will send all requests to the same web server on another port. Like port 3000, if a request is captured on that port, a node app using express will forward the request to the app tier since the web server can speak to the app server.

I did setup a small proof of concept doing this. The web server serves the content, then I have another express app setup to listen on port 3000, the client sends the request on port 3000 and then it just sends the exact same thing back to the app server.

This is my current setup with the web servers hosting two servers. One to serve the frontend on port 80 and one to receive requests on port 3000. The server listening on port 3000 forwards all requests to the app server ALB(It's basically a copy of all the same routes on the app server but it just forwards the requests instead of performing an action). But is there a way to not have this extra hop in the middle? Get rid of the additional server that is listening on 3000 without exposing the internal ALB?

enter image description here

user2835532
  • 113
  • 1
  • 1
  • 10
  • I think your question is specifically about the separation of a web serving tier in public subnets vs. an app tier in private subnets. Wonder if it would be acceptable to deploy ALB/ELB into public subnets and their target groups are EC2 instance app servers in private subnets. – jarmod Mar 11 '21 at 03:36
  • Thats correct. I have a web app that is served using node and uses express. But I'm not sure how to take the frontend serving and remove it from this node app. The only solution I have found is to copy the express routes onto the web server and make each express route go to the same route on the app server. – user2835532 Mar 11 '21 at 13:43
  • Right, but I'm saying that you might consider placing ALB/ELB in front of the private app tier, rather than simply reverse proxying everything with nginx/haproxy/etc. in the public subnet. Would that give you the separation you need? – jarmod Mar 11 '21 at 14:32

1 Answers1

0

To separate your web servers and application servers, you can use a VPC with public and private subnets. In fact, this is such a common scenario that Amazon has already provided us with documentation.

As for a "better way to do this," I assume you mean security. Here are some options:

  1. You can (and should) run host based firewalls such as IP tables on your hosts.
  2. AWS also provides a variety of options.
    1. You can use Security Groups, which are statefull firewalls for your hosts
    2. You can also use Network Access Control Lists (ACLs), which are stateless firewalls used to control traffic in and out of subnets.

AWS would also argue that many shops can improve their security posture by using managed services, so that all of the patching and maintenance handled by AWS. For example, static content could be hosted on Amazon S3, with dynamic content provided by microservices leveraging API Gateway. Finally, from a security perspective AWS provides services like Trusted Advisor, which can help you find and fix common security misconfigurations.

Zerodf
  • 2,208
  • 18
  • 26
  • I actually have this kind of setup already. I have a public subnet and two private nets. One ALB for the web server public net, one for the app server private net. Each with their own SGs and NACLs. But I don't understand how I can contact the app net after the web app has been served to the client. The only thing that I have done is to setup a forwarder on the web server to send the request to the app server. Ill update my question with a diagram to help out. – user2835532 Mar 11 '21 at 13:50