Design a Multi-Tier Solution
The course is part of this learning path
Domain One of The AWS Solution Architect Associate exam guide SAA-CO2 requires us to be able to Design a multi-tier architecture solution so that is our topic for this course.
The objective of this course is to prepare you for answering questions related to this domain. We’ll cover the need to know aspects of how to design Multi-Tier solutions using AWS services.
By the end of this course, you will be well prepared for answering questions related to Domain One in the Solution Architect Associate exam.
You need to be familiar with a number of technology stacks that are common to multi-tier solution design for the Associate certification- LAMP, MEAN, Serverless and Microservices are relevant patterns to know for the exam.
What is Multi-Tier Architecture?
A business application generally needs three things. It needs something to interact with users - often called the presentation layer - it needs something to process those interactions - often called the logic or application layer - and it generally needs somewhere to store the data from that logic and interactions - commonly named as the data tier.
When Should You Consider a Multi-Tier Design?
The key thing to remember is that the benefit of multi-tier architecture is that the tiers are decoupled which enables them to be scaled up or down to meet demand. This we generally call burst activity and is a major benefit of building applications in the cloud
When Should We Consider Single-Tier Design?
Single tier generally implies that all your application services are running on the one machine or instance. Single-Tier deployment is generally going to be a cost-effective and easy to manage architecture but speed and cost is about all there is for benefits. Single tier suits development or test environments where finite teams need to work and test quickly.
Design a Multi-Tier Solution
First we review the design of a multi-tier architecture pattern using instances and elastic load balancers. Then we’ll review how we could create a similar solution using serverless services or a full microservices design.
AWS Services we use
The Virtual Private Cloud
Subnets and Availability Zones
Elastic Load Balancers
Security groups and NACLs
AWS WAF and AWS Shield
Amazon API Gateway
AWS Secrets Manager
We review sample exam questions to apply and solidify our knowledge.
Review of the content covered to help you prepare for the exam.
- [Man] So how do instances in our VPC access the internet?
Well, the first way is that we can assign a public IP address to that machine. So first we assign a public IP address or an Elastic IP address or EIP to the instances that we want to have internet access.
That gives those instances the ability to send and receive traffic from the internet, i.e. for web service, we want to have that ability. So how do instances without public IP addresses access to the internet? Instances without a public IP address can route their traffic through what we call a NAT Gateway or a NAT Instance. Now, NAT stands for Network Address Translation. And essentially, NAT instances or services, traverse IP ranges, internet protocol number ranges. And so allow instances and private or public subnets to access the internet via Network Address Translation. So if a machine is in a subnet and it doesn't have an EIP address, then it's not going to be visible through the internet gateway. But if we use a NAT gateway, we can have that machine topped outbound to the internet via this Network Address Translation. So the NAT Gateway or NAT Instance allows outbound communication, but it doesn't allow machines on the internet outside of the VPC to initiate a connection to that privately addressed instance. Okay, so let's look at another concept of connectivity, which is highly available NAT Gateways instead of NAT Instances. Remember, NAT stands for Network Address Translation and NAT Gateways offer major advantages in terms of deployment, availability and maintenance.
So rather than running a NAT Instance, which is basically a machine that we have provisioned and managed and we set up that routing rule, which allows machines in a public or private subnet who do not have an Elastic IP address, who do not have an internet address to connect outbound through the NAT instance through the internet gateway, outbound to the internet. So they are basically a hopping host to get out through the internet. So remember that in terms of highly available NAT Gateways are way more available because they're a managed service. So they scale very well and designed to deal with burst activity, et cetera. Now, another form of connectivity we can have to our VPC is using a VPN. So if you have a hardware VPN connection or direct connection, instances can route their internet traffic down the virtual private gateway to your own internet connection. Now, note the difference there. There's the internet gateway and there's the virtual private gateway. So a VPN connection uses a virtual private gateway. Your internet in and outbound traffic uses the Internet Gateway. You can also have services within your VPC access the internet via your existing egress points using a VPN connection. Now, a couple of things to remember with VPC design is that always makes sure you leave spare capacity for additional subnets. So always make sure that your IP addressing contains additional capacity so that you can scale it.
Head of Content
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.