Objective

In this lab, you’ll learn how to create a secure network using a Virtual Private Cloud (VPC) and demonstrate a real-world use case by running a web server on a public server that connects to a database service on a private server. You’ll build on Lab D, where you opened a firewall port to connect to a database directly - a complete cybersecurity no-no in the cloud. Here, you’ll create a more secure setup by isolating resources in a VPC with public and private subnets.

An optional add-on lab is provided to explore Identity and Access Management (IAM) policies for controlling access to resources.

Start Where You Are

In Lab D, you allowed your computer’s IP address to access a database through a firewall rule. This worked for a quick test, but it’s not ideal for real-world scenarios because:

1. It’s Fragile: If you move to a new location (like a coffee shop), your IP address changes, and you’d need to update the firewall rule.
2. It’s Not Specific Enough: Anyone using your IP address could try to access the database—it doesn’t check who you are.

Introduction to the Three-Tier Architecture

The three-tier architecture is a common design pattern for building secure and scalable cloud applications. It organizes an application into three logical layers:

1. Presentation Tier: The user interface, typically a web server (e.g., Nginx or Apache) that users interact with through a browser or app. It handles requests and displays data.
2. Application Tier: The business logic layer, often hosting APIs or services that process requests, perform calculations, or manage workflows. This tier communicates between the presentation and data tiers.
3. Data Tier: The storage layer, where data is stored and managed, typically in a database (e.g., SQLite, MySQL, PostgreSQL or any of the NoSQL databases from the last lab for that matter). This tier is kept secure and isolated from direct external access.

This architecture separates concerns, improves scalability (each tier can scale independently), and enhances security by isolating sensitive components like the database. In real-world applications, each tier is often deployed in separate subnets or servers, with strict network controls to limit access.

Connection to This Lab

In this lab, you’ll implement a simplified version of the three-tier architecture:

• Presentation Tier: You’ll deploy a web server (Nginx) on the bastion-host in the public subnet, serving a webpage that users can access over the internet.
• Data Tier: You’ll set up a simple database (SQLite) on the private-server in the private subnet, which is isolated from the internet and only accessible via the bastion host.
• Application Tier: For simplicity, this lab combines basic application logic (a PHP script to query the database) with the presentation tier on the bastion-host. In a full three-tier setup, the application logic would run on a separate server in its own subnet, but this lab focuses on the network isolation and secure communication between the presentation and data tiers.