Question:
Task 1.
Create an implementation design document This task can be done individually or in a team of 2. You will present your design to the class. The document should be submitted to Turnitin and contain the following: 1. AWS diagram ? showing the VPC, availability zones, subnets, services (ELBs, EC2 instances, scaling groups, etc.) and links between each of the services. Icons for various formats are available at https://aws.amazon.com/architecture/icons/ 2. IAM ? define the users, groups and roles that you will be creating. List the AWS permissions that will assignment to each role/group.
3. Password policy – define policy noting any special requirements for particular groups. 4. VPCs ? List the VPCs that need to be created including: Name (e.g. Production), Region, AZs to be used, number of subnets required and CIDR range. (Check your selected region supports RDS Multi?AZ). 5. Subnets – for the Production VPC only, define each of the subnets including the name (the name should indicate what tier the subnet is e.g. “WebPrivate1”), type (public/private), AZ and subnet CIDR address range. 6. Instance details – describe the type, size and justification for the EC2 instances you will use in each tier.
Task 2 – Implement your design
Overview
Use your solution design to implement a subset of your solution in the Qwiklabs lab environment. This
allows you to practice the configuration and validate your design. It is necessary to configure the entire
environment in the time.
There is no application code available in the lab environment to test your solution.
Trackers
The lab environment includes tracking of specific objectives. Due to the limitations of the tracking
system it help to complete the objectives in the order specified by the tracker.
Configuration
A subset of your designed solution should configured in the lab environment.
We recommend you configure the following services:
1. Users, and roles With the correct policies and associations
2. Production VPC
3. Internet Gateway
4. Subnets for all tiers two availability zones
5. Route tables and routes With correct subnet associations
6. Security Groups for all servers and load balancers
7. Auditing Of all console and API user actions
8. Load Balancers
9. Launch Configurations
10. Auto Scaling Groups
11. Compute Instances running web services
12. Storage With a lifecycle policy
Validating Your Solution
The following tasks can completed to validate your own solution.
Viewing web pages from the web tier instances
• If your web tier instances deploy with user data to configure a web service, then requests to the
Internet facing load balancer should provide a web page in response.
Auto Scaling Groups
• Manually increase the number of desired instances in the application tier group from two to four. The
new instances should be deployed across multiple availability zones automatically.
• Check the application load balancer has been automatically updated with the
two new instances.
Auditing
• Move a user from the Monitor group to one of the administrator groups.
• View the audit logs to verify the change was logged.
COS20009 Cloud Computing Architecture Mid?Curriculum Project p 7 of 8
IAM Roles
• View the configuration of the web tier instances and verify they are running with the appropriate IAM
role that allows them to use the storage service.
Task 3 Documentation of your implementation
Document your implementation solution with screenshots and produce a CloudFormer configuration
export. The document will be submitted to Turnitin by the due date and included in your Portfolio.
Mid?Semester Project Marking Scheme
Design
AWS Diagram
VPC(s), Subnets, Components/Services (ELBs, EC2 instances, scaling groups, IGW, NATs, S3,
etc.) clearly illustrated
Highly available all tiers
Minimal attack surface
3
IAM and Passwords
Groups, roles and policies correctly defined
2
Security groups defined 2
EC2 instances correctly specified (with rationale)
Scaling policy defined
Implementation check list
The following will be checked in you implementation. Make sure your portfolio has sufficient evidence
for this to be checked.
1. IAM – Groups, user and roles (3 marks)
1.1. Specified Groups created with appropriate permissions
1.2. Users added to groups
1.3. MFA enabled for SysAdmin user
1.4. Password policy created as specified
1.5. S3 access role for EC2
2. Log API calls with CloudTrail (2 marks)
2.1. Tracker Log all API calls
2.2. Log saved to S3 bucket with appropriate lifecycle
3. VPC (3 marks)
3.1. VPC created
3.2. Public and private subnets in two AZs – appropriate CIDR ranges.
3.3. NAT instance or gateway created
3.4. Make NAT accessible internet in Main Route Table, and associate with private subnets
3.5. Internet gateway created for VPC
3.6. New (Main = NO) route table created that routes to IGW and is associated with Public subnets
4. Security groups (at least 3) created with appropriate protocols and sources (3 marks)
5. Web Servers (3 marks)
5.1. Web server configuration instance created with appropriate AMI, user data, specified role and
tag Name
5.2. Image created from Web tier configurations instance
5.3. Web tier load balancer (classic) created in VPC with specified name, associate with appropriate
subnets in both AZs, and security groups.
5.4. Launch Configuration created based your saved AMI and with specified Names. Enable
CloudWatch and add appropriate user data, storage, security group etc.
5.5. Auto Scaling Group created with appropriate policy (desired, min and max sizes)
5.6. ASG configured to received traffic from Web tier ELB
5.7. Tag created Name = web?tier
6. App Servers (3 marks)
6.1. App tier configuration AMI, ELB, Launch configuration, ASG created (as for Web servers)
7. Create RDS db (3 marks)
7.1. DB subnet groups created
7.2. Create RDS instance of appropriate type created, SQL Standard ed., db.m4 2xlarge (Lab 5.3)
7.3. Multi?AZ, DB instance id, master username and password set
7.4. Appropriate security group selected, DB not public accessible.
Answer:
Create an implemendent design documents this task can be done individualy and in a team . You will be the present your design in the class . The documents should be subbimeted to turtlein and contain the following. AWS Diagram , showing the VPC , Availabity zones, subnets, services,(ELBs, EC2 instance,sclaing group etc.) and links between each of the services .
2.IAM Define the users, groups and rolls that you will be creating ,List the AWS Permissions that will assinment to each role/group.
|
Group/Role
|
Group/Role Name
|
Permissions
|
|
Group
|
DBAdmin
|
AmazonRDSFullAccess
|
|
Group
|
SysAdmin
|
EC2Admins
|
|
Group
|
MonAdmin
|
Monitoring Access
|
|
Group
|
NetAdmin
|
LB Access
|
|
Group
|
ProgAdmin
|
EC2Access
|
3.Password Policy
A password with at least 8 characters, 1 uppercase and 1 lowercase letter, 1 number, and 1 special character ? Forced password change every 90 days ? No re?use of the previous three passwords.
4. VPCs Name Region AZs Number of Subnets CIDR Range Production US-East-1 US-East-1a, USEast-1b 8 10.0.0.0/20
5.Subnets
Name Type AZ CIDR No Of IPs Route Table ELBPublic1 Public US-East-1a 10.0.0.0/25 128 0.0.0.0/0 – Internet Gateway, 10.0.0.0/20 – local ELBPublic2 Public US-East-1b 10.0.0.128/25 128 0.0.0.0/0 – Internet Gateway, 10.0.0.0/20 – local WebPrivate1 Private US-East-1a 10.0.2.0/23 512 0.0.0.0/0 – NAT Gateway, 10.0.0.0/20 – local WebPrivate2 Private US-East-1b 10.0.4.0/23 512 0.0.0.0/0 – NAT Gateway, 10.0.0.0/20 – local AppPrivate1 Private US-East-1a 10.0.6.0/23 512 10.0.0.0/20 – local AppPrivate2 Private US-East-1b 10.0.8.0.23 512 10.0.0.0/20 – local DBPrivate1 Private US-East-1a 10.0.10.0/26 64 0.0.0.0/0 – NAT Gateway, 10.0.0.0/20 – local 4 DBPrivate2 Private US-East-1b 10.0.11.64/26 64 0.0.0.0/0 – NAT Gateway, 10.0.0.0/20 – local
6.Instance Details
Tier Tag* OS Type Size Justification # of instances User Data? Web Key = Name Value = web? tier Windows server 2016 T2.medium 2 vCPU, 4 GB RAM 2 App Key = Name Value = app?tier Windows server 2016 T2.large 2 vCPU, 8 GB RAM 2 DB Key = Name Value = db?tier Windows server 2016 Db.T2.large 2 vCPU, 8 GB RAM 2 Yes
7.Load Balancer Details
Load Balancer Name External/Internal Subnets SG Name Rule Source For Web tier Web-elb External Public Subnets Web-elbsg Port- 443 0.0.0.0/0 For App tier App-elb Internal Private Subnets App-elbsg Port 80, 443 Web-tiersg
8.Security Groups
Instance Tier SG Name Rule Source Web Tier Web-tier-sg Port- 80, 443 Web-elb App Tier App-tier-sg Port 80, 443 App-elb Database Tier Db-tier-sg Port – Database port App-tier-sg
9.Auto Scaling lunch Configuration
Tier OS Type Size Configuration Name Role Security Group Web Windows Server – 2016 T2.medium 2 vCPU, 4 GiB RAM WebTier Web-tiersg App Windows Server – 2016 T2.large 2 vCPU, 8 GiB RAM AppTier App-tiersg
10.Auto Scaling Groups
Tier Launch Configuration Group Name Group Size VPC Subnets ELB Tags Web WebTier WebTier Desired – 2 Minimum – 2 Maximum -4 10.0.0.0/20 10.0.2.0/23 10.0.4.0/23 Webelb KeyName, ValueWebtierscalinggroup App AppTier AppTier Desired – 2 Minimum – 2 Maximum -4 10.0.0.0/20 10.0.6.0/23 10.0.8.0/23 Appelb KeyName, ValueApptierscalinggroup
