Seeking support for architecture diagram review
I am new to AWS and I have designed this architecture for a production setup.
I need to know if this diagram is fine to proceed with.
Can someone please help me with this?
- Newest
- Most votes
- Most comments
Hello.
The architecture diagram is probably simplified and it appears to only use a single subnet, but if you want to ensure availability, you should configure the subnets in a multi-AZ configuration.
To connect to the EC2 instance listed as a jumpbox, you can use Systems Manager Session Manager to place the EC2 instance in a private subnet.
By managing EC2 with Systems Manager, you can automate tasks such as patch application.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
As described in the following document, Amplify allows you to configure AWS WAF, so please consider configuring it as a security measure for your web application.
https://docs.aws.amazon.com/amplify/latest/userguide/WAF-integration.html
Have you considered backing up your RDS?
If you haven't done so yet, we recommend using something like AWS Backup.
https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html
Although the application is hosted in a private subnet, please note that you will not be able to access AWS services such as Amazon SES, ECR, Secrets Manager or S3 unless a NAT Gateway or VPC endpoint is configured.
https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html
I'd be happy to review your architecture diagram for AWS. Based on what I can see, you've designed a three-tier architecture with web, application, and database layers. Here are some observations and recommendations:
Strengths of your design:
- You've implemented a multi-AZ deployment which provides good high availability
- The use of load balancers helps distribute traffic and provides failover capability
- You've separated your resources into different tiers which follows best practices
Recommendations for improvement:
- Security considerations:
- Consider adding AWS WAF to your load balancer for additional protection against web exploits
- Ensure you have proper IAM roles and policies configured for each service
- Implement encryption for data at rest (using AWS KMS) and in transit
- Database tier:
- Consider using Amazon RDS instead of hosting your database on EC2 for easier management, automated patching, and backups
- If you're using EC2 for specific database requirements, ensure you have a proper backup strategy
- Cost optimization:
- Implement CloudFront for caching static content, which can reduce load on your origin servers and potentially reduce costs
- Consider implementing S3 lifecycle policies if you're storing objects in S3 to transition them to lower-cost storage classes
- Monitoring and operations:
- Add CloudWatch for comprehensive monitoring and alerting
- Document your architecture decisions and requirements for future reference
- Network design:
- Ensure your VPC subnets are properly configured with public and private subnets
- Verify that security groups and NACLs are properly configured to follow least privilege principles
Before proceeding to production, I would recommend running your architecture through the AWS Well-Architected Tool to perform a detailed assessment against all six pillars of the framework (operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability).
This will help identify any potential gaps in your design before deployment.
Sources
Please help to confirm this architecture diagram is meet the best practice and cost optimization, security wise | AWS re:Post
AWS application design and migration strategy - AWS Prescriptive Guidance
Building a Secure and Scalable Three-Tier Architecture on AWS using CloudFormation | AWS re:Post
Relevant content
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 2 years ago
