π₯ LAB GOAL (PRODUCTION STYLE)
You will build:
Internet
β
Load Balancer (DMZ / Public)
β
Web Server (Private)
β
Database (Private)
With:
- Public subnets (DMZ)
- Private subnets (App + DB)
- NAT Gateway
- Security Groups (firewall)
- Route tables (routing)
π STEP 0 β WHAT YOU MUST HAVE
Already created:
β VPC
β 2 Public subnets
β 2 Private subnets
β Internet Gateway
β NAT Gateway
π STEP 1 β FIX ROUTING (VERY IMPORTANT)
Public Route Table
Go to VPC β Route Tables β Public RT
Make sure:
0.0.0.0/0 β Internet Gateway
Associate:
- Public Subnet 1
- Public Subnet 2
Private Route Table
Make sure:
0.0.0.0/0 β NAT Gateway
Associate:
- Private Subnet 1
- Private Subnet 2
β Result:
- Public = internet access
- Private = outbound only
π STEP 2 β CREATE SECURITY GROUPS (FIREWALL DESIGN)
1. Load Balancer SG (alb-sg)
Allow:
HTTP 80 β 0.0.0.0/0
2. Web Server SG (web-sg)
Allow:
HTTP 80 β alb-sg
SSH 22 β your IP
3. Database SG (db-sg)
Allow:
MySQL 3306 β web-sg
β Result:
- Internet β only ALB
- ALB β Web
- Web β DB
- Users CANNOT access DB
π This is real firewall architecture
π STEP 3 β CREATE LOAD BALANCER (DMZ)
Use:
Application Load Balancer
Where:
EC2 β Load Balancers β Create
Config:
Type: Application LB
Scheme: Internet-facing
-
Subnets:
- Public Subnet 1
- Public Subnet 2
-
Security Group:
alb-sg
β Result:
π Entry point for users
π STEP 4 β CREATE WEB SERVERS (PRIVATE)
Launch 2 EC2:
-
Subnet:
- private-subnet-1
- private-subnet-2
-
Security Group:
web-sg
NO public IP
Install nginx:
sudo apt update
sudo apt install nginx -y
Customize page:
echo "Hello from Web Server 1" | sudo tee /var/www/html/index.html
β Result:
π Private app servers running
π STEP 5 β CONNECT ALB β WEB
Create Target Group:
- Type: Instance
- Port: 80
Add both EC2 instances
Attach to Load Balancer
β Result:
π ALB sends traffic to web servers
π STEP 6 β TEST
Open:
http://<ALB-DNS>
β Result:
π You see your web page
Refresh:
π It switches between servers
π STEP 7 β CREATE DATABASE (SIMULATION)
You can use EC2 or:
Amazon RDS
For simple lab (EC2 DB):
Launch EC2:
- Subnet: private-subnet-1
- SG:
db-sg
β Result:
π Private DB server
π STEP 8 β TEST NETWORK SECURITY
Try:
From your laptop:
- Access DB β β FAIL
From web EC2:
- Connect DB β β WORK
π This proves firewall working
π STEP 9 β TEST NAT (VERY IMPORTANT)
SSH into web EC2:
ping google.com
β Result:
π Works β NAT is correct
π STEP 10 β BREAK & DEBUG (SRE LEVEL)
Now simulate failures:
Scenario 1 β Remove NAT route
π Private EC2 cannot reach internet
Fix:
π Add NAT route back
Scenario 2 β Remove SG rule (web β db)
π App cannot reach DB
Fix:
π Add rule back
Scenario 3 β Stop one EC2
π App still works via ALB
π This is real SRE behavior
π₯ WHAT YOU JUST LEARNED
You implemented:
β VPC design
β Subnet segmentation (DMZ / Private)
β Routing (IGW + NAT)
β Firewall (SG)
β Load balancing
β Secure DB access
β Failure testing
π¬ INTERVIEW ANSWER
I built a multi-tier architecture in AWS with public and private subnets, configured routing using Internet Gateway and NAT Gateway, secured communication using security groups, deployed web servers behind an Application Load Balancer, and validated failover and connectivity through testing scenarios.
Top comments (0)