Architecture requirements

[DigiPie]

Breakdown of requirements stated in https://gist.github.com/houdinisparks/b8dcd1d2b5b1179b45b0afe68351e027 and the Well Architected Framework.

VPC requirements

• Entire infrastructure in a private isolated network.
  • Solution: Place web and database tier in the same VPC under public and private subnets respectively.
  • Solution: Add Bastion server in public subnet for accessing database in private subnet.
• Web application is available over the Internet via HTTP.
  • Solution: App instances only allow ingress/egress from Bastion and Elastic Beanstalk
• Database tier should have restricted access (not open to HTTP) and allow traffic only through the web tier.
  • Solution: Database instances only allow Ingress/egress from Bastion and Elastic Beanstalk
• Database tier should allow outbound requests via NAT.
  • Solution: Managed NAT gateways

Database requirements

• Requires a managed SQL database which is highly available.
  • Solution: Amazon RDS (use Aurora in real-world scenario, sadly not in free-tier).
• Daily generation of numerous reports which incur heavy read operations on the database. Need to mitigate impact on the performance of the web application.
  • Solution: Read replica and Batch job triggered by Cloudwatch rule.
• No requirement at this point to balance the load on the database tier.

Elastic Beanstalk requirements

• Enable automatic scaling based on traffic for cost-effectiveness.
  • Solution: Elastic Beanstalk > Auto-Scaling Group > Scaling based on instance CPU utilization.
• L4/L7 load balancer which directs traffic to healthy instances only.
  • Solution: Elastic Beanstalk > Elastic Load Balancer (App or Network)
• Set up CI/CD workflow
  • Solution: CodePipeline > Elastic Beanstalk

Well-architected framework

Operational Excellence

Ability to run and monitor systems to deliver value and to continually improve supporting processes and procedures.

• Perform operations as code - Infrastructure as code.
  • Solution: Cloudformation.
• Monitor operations.
  • Solution: CloudWatch alarms on MasterDB and Elastic Beanstalk environment

Security

Ability to protect information, systems, and assets while delivering value through risk assessments and mitigation strategies.

• Apply security at all layers
  • Solution: Use Subnet Network ACL, VPC Security Groups, DB Subnet Groups, etc.
  • Solution: SSH Invalid User alarm for Bastion server
• Data security at rest
  • Solution: RDS encryption at rest (for Production)

Reliability

Ability of a system to recover from disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions.

• Automatically recover from failure
  • Solution: Elastic Beanstalk > Elastic Load Balancer health checks and auto-recovery
• Scale horizontally to increase aggregate system availability
• Use auto-scaling
  • Solution: Elastic Beanstalk > Auto-Scaling Group

Performance efficiency

Ability to use computing resources efficiently to meet requirements, and to maintain that efficiency.

• Solution: Elastic Beanstalk > Auto-Scaling Group

Cost-optimisation

Ability to run systems to deliver business value at the lowest price point.

• Adopt a consumption mode; only pay for what you need/use
  • Solution: Elastic Beanstalk > Auto-Scaling Group
• Stop spending money on data centre operations
  • Solution: Use managed services as much as possible, such as Elastic Beanstalk, RDS, managed NAT, etc.