Deploying a Classic 3-tiers Application using aws-cdk
Background
I have been looking for ways to adapt infrastructure-as-code with my team. But the initial complexity is a big deterant. Remember we not only have to output the initial configuration, but to maintain it as well.
aws-cdk
is released on 2019-07-11.
It is simpler than writing a CloudFromation template from scratch.
Perhaps it is a good entry point for teams that want to adapt infrastructure-as-code.
A Classic 3-Tiers Application
With load-balancer tier, stateless application logic tier, and database tier.
Tier | Componenet | AWS Service | Subnet |
---|---|---|---|
1 | Load-balancer | AWS ELB | Public |
2 | Application Logic | AWS ECS Fargate | Private |
3 | Database | AWS RDS Aurora | Isolated |
Following the security practice of separating subnets for different tiers, the application will be deployed into:
- a public subnet(with two-way Internet access),
- a private subnet(with out-going Internet access only), and
- a isolated subnet(no Internet access either way).
We are also using environment variable to pass database credentials as it is easier to reuse existing docker image.
Here is the aws-cdk
stack that I managed to get working:
Deploy
If you want to deploy it and poke around, you can checkout the GitHub repository here. The deployment instruction is written in README.md
.
Note that we should install the same version of aws-cdk
and other @aws-cdk/*
dependencies. It seems even minor version difference may be incompatible. I used v1.38.0
.
Some Rooms for Improvements
- Use separate route tables for each subnet.
- Database security group should allow traffic from the private subnet only.
- Calling AWS Secret Manager API from application code for database credential is probably more secure, but it will require some custom code. If you expect to reuse the same Docker image in, say, Kubernetes, it may cause problems.
- I couldn’t quite get the
DatabaseCluster
construct to work. So I used the CloudFormation verionsCfnDBCluster
. If you managed to useDatabaseCluster
, please feel free to leave a comment.