The CARMA Capstone - Deploying a Resilient Application End-to-End

Objective: To apply the cloud-agnostic principles learned throughout this course to a real-world scenario. You will take a pre-packaged application, deploy it onto a cloud provider of your choice, and configure it to be secure, scalable, and highly available. This project will test your ability to integrate skills across networking, security, data management, and infrastructure automation, demonstrating the end-to-end expertise valued by modern technology teams.

Scenario: You have just joined a promising new startup as their first Cloud Engineer. The development team has handed you their flagship application as a .zip file. The application is stateful and requires a database to store user data. The file contains the application's source code, a Dockerfile to containerize it, and a basic Infrastructure as Code (IaaC) configuration file. Your mission is to get this application running in the cloud and ready to serve customers globally.

Step 1: Foundational Setup & Security Baseline

First, you must build the secure "digital land" where your application will live. This involves creating a private, isolated network and defining the specific permissions your cloud resources will need to operate, adhering to the Principle of Least Privilege.

• Tasks:
  1. Create a new Virtual Private Cloud (VPC) to isolate your application's network from the public internet
  2. Within the VPC, configure at least one public subnet (for components that need to face the internet, like a load balancer) and one private subnet (for secure back-end resources like the database)
  3. Using Identity and Access Management (IAM), create specific roles for your application's components. For example, create a role that grants the application's compute service the permission to read/write from the database, but nothing more
• Connection to Previous Labs: This step is a direct, practical application of the concepts mastered in Lab F: Configure VPC and IAM Polices. You are moving from learning about these components individually to architecting them as the secure foundation for a complete application.

Step 2: Provisioning the Persistent Data Store

Because the application is stateful, it needs a database that "remembers" information between user sessions. You will provision a managed database and place it within the secure private subnet you created in the previous step.

• Tasks:
  1. Choose and deploy a managed relational database service (e.g., Cloud SQL, Azure Database for MySQL, AWS RDS)
  2. Configure the database to reside exclusively in the private subnet of your VPC, ensuring it is not directly accessible from the public internet
  3. Set up firewall rules (Security Groups) to only allow connections from within your VPC, specifically from the resources that will host your application
• Connection to Previous Labs: This step builds directly on Lab D: Create a Relational Database in the Cloud. While in that lab you focused on creating and connecting to the database, you are now integrating it into a secure network architecture learned from Lab F

Step 3: Building and Storing the Application Container

Next, you will containerize the application to ensure it runs consistently across any environment. This package, called a container image, will then be stored in a private repository in the cloud, ready for deployment.

• Tasks:
  1. On your local machine or in the Cloud Shell, use the provided Dockerfile to build the application into a Docker container image.
  2. Authenticate to your cloud provider's container registry service.
  3. "Push" your container image to the private registry, making it available for your cloud infrastructure to pull from.
• Connection to Previous Labs: This is an advanced application of the skills introduced in Lab G: Use a Serverless Backend, which covers containers. It also leverages your comfort with the command line from Lab B: Create and Edit a File in Cloud Storage, as building and pushing container images is primarily a CLI-driven process.

Step 4: Deploying the Application with Infrastructure as Code (IaaC)

With your network and database ready and your application image stored, it's time to deploy. You will use the provided IaaC file to declaratively define and launch the compute service that will run your container.

• Tasks:
  1. Modify the IaaC file (e.g., Terraform) to define a managed container service (e.g., Cloud Run, Azure Container Apps, AWS Fargate).
  2. Configure the service to use the container image you pushed in Step 3.
  3. Assign the specific IAM role you created in Step 1 to the service, granting it the necessary permissions.
  4. Securely pass the database connection details (endpoint, username, password) to the application using a secret management service.
  5. Run the IaaC script to deploy your application.
• Connection to Previous Labs: This step synthesizes several concepts. The core deployment of a containerized application comes from Lab G. The use of IaaC is a key concept from Chapter 7. The security aspect of assigning the correct IAM role and managing secrets ties back to Lab F.