Deploying a Secure 3-Tier VPC for a Scalable AWS Infrastructure

Secure 3-Tier VPC for a Scalable AWS Infrastructure

The AMJ Cloud Technologies DevOps team designed and deployed SecureVPCStack, a Terraform-based project to deliver a secure, scalable, and modular 3-Tier AWS VPC infrastructure for FinTechSecure Corp. This solution provisions public, private, and database subnets, a bastion host, private EC2 instances running Apache, and automated provisioning with Terraform provisioners, ensuring secure access and operational efficiency for their financial platform.

Situation

FinTechSecure Corp, a financial technology company, required a secure and scalable AWS infrastructure to support their financial services platform, which demanded strict compliance and data isolation. Manual VPC setups were error-prone, inconsistent, and risked security misconfigurations. I was tasked with creating SecureVPCStack, an automated, repeatable 3-Tier VPC (Web, App, Database) to provide secure access, modularity, and scalability with minimal manual intervention.

Task

My objective was to create a Terraform-based infrastructure in AWS us-east-1 with:

• A 3-Tier VPC with public, private, and database subnets, including a NAT Gateway.
• A bastion host in a public subnet for secure SSH access and private EC2 instances running Apache web servers.
• An Elastic IP for the bastion host for consistent access.
• Security groups for SSH (bastion) and SSH/HTTP (private instances).
• Terraform provisioners for automation (key management, Apache installation, logging).
• Modular files, explicit dependencies, and consistent tagging (Owner=FinTechSecure, Environment=prod, Project=SecureVPCStack) for maintainability.
• Completion within three months.

Action

Team implemented the following using Terraform, personally coding and testing the configurations to ensure a secure and reliable solution:

Define VPC Variables

• Example from c4-01-vpc-variables.tf:

  variable "vpc_cidr_block" {
    description = "CIDR block for the VPC"
    type        = string
    default     = "10.0.0.0/16"
  }
  variable "public_subnet_cidr_blocks" {
    description = "CIDR blocks for public subnets"
    type        = list(string)
    default     = ["10.0.101.0/24", "10.0.102.0/24"]
  }
  variable "private_subnet_cidr_blocks" {
    description = "CIDR blocks for private subnets"
    type        = list(string)
    default     = ["10.0.1.0/24", "10.0.2.0/24"]
  }
  variable "database_subnet_cidr_blocks" {
    description = "CIDR blocks for database subnets"
    type        = list(string)
    default     = ["10.0.151.0/24", "10.0.152.0/24"]
  }
  

Configure 3-Tier VPC

• Example from c4-02-vpc-module.tf:

  module "vpc" {
    source  = "terraform-aws-modules/vpc/aws"
    version = "6.0.1"
    name = "secure-vpc"
    cidr = var.vpc_cidr_block
    azs  = ["us-east-1a", "us-east-1b"]
    public_subnets   = var.public_subnet_cidr_blocks
    private_subnets  = var.private_subnet_cidr_blocks
    database_subnets = var.database_subnet_cidr_blocks
    enable_nat_gateway = true
    single_nat_gateway = true
    tags = {
      Owner       = "FinTechSecure"
      Environment = "prod"
      Project     = "SecureVPCStack"
    }
  }
  

Deploy Private EC2 Instances

• Example from c7-04-ec2instance-private.tf:

  module "ec2_private" {
    source  = "terraform-aws-modules/ec2-instance/aws"
    version = "6.0.2"
    name                   = "secure-private"
    instance_count         = 2
    ami                    = data.aws_ami.amazon_linux.id
    instance_type          = var.instance_type
    subnet_id              = element(module.vpc.private_subnets, 0)
    vpc_security_group_ids = [aws_security_group.private_sg.id]
    user_data              = file("app-install.sh")
    tags = {
      Owner       = "FinTechSecure"
      Environment = "prod"
      Project     = "SecureVPCStack"
    }
  }
  

• Example from app-install.sh:

  #!/bin/bash
  yum update -y
  yum install -y httpd
  systemctl start httpd
  systemctl enable httpd
  echo "<h1>Hello from $(hostname -f)</h1>" > /var/www/html/index.html
  

Result

As part of AMJ Cloud Technologies’ DevOps team, we successfully delivered the SecureVPCStack infrastructure for FinTechSecure Corp:

• Deployment Automation: I automated provisioning using Terraform, reducing setup time from days to hours.
• Security Improvement: I configured secure access via a bastion host with an Elastic IP and restricted security groups, ensuring compliance for financial workloads.
• Scalability: I designed a modular 3-Tier architecture, enabling future additions like RDS or load balancers.
• Operational Efficiency: I implemented provisioners for automated key management and logging, minimizing manual tasks.

Technologies Used

• AWS VPC
• AWS EC2
• AWS Security Groups
• AWS Elastic IP
• Terraform
• Amazon Linux 2

Key Takeaways

The SecureVPCStack project highlights our expertise as a DevOps engineer at AMJ Cloud Technologies in designing and implementing a secure, scalable AWS infrastructure using Terraform. By coding modular configurations, configuring secure access, and automating provisioning, I delivered a reliable foundation for FinTechSecure Corp’s financial platform.

Architectural Diagram

The diagram illustrates the 3-Tier VPC with public, private, and database subnets, bastion host, private EC2 instances, NAT Gateway, Elastic IP, and security group connections.