BrainyBeeBrainyBee
Study Guide880 words

Mastering Multi-Tier Architectures in AWS

Multi-tier architectures

Mastering Multi-Tier Architectures in AWS

This study guide covers the fundamental principles of designing resilient, scalable, and secure applications using multi-tier architectures on AWS, specifically aligned with the SAA-C03 exam objectives.

Learning Objectives

By the end of this guide, you should be able to:

  • Define multi-tier architecture and its advantages over monolithic designs.
  • Differentiate between public and private subnets and their roles in a secure stack.
  • Select the appropriate Elastic Load Balancer (ELB) type (ALB, NLB, or GLB) based on application requirements.
  • Explain the concept of loose coupling and its implementation via SQS and microservices.
  • Design a high-availability architecture across multiple Availability Zones (AZs).

Key Terms & Glossary

  • Multi-tier Architecture: An architectural pattern where application components are separated into distinct logical layers (tiers), often hosted in separate subnets.
  • Loose Coupling: A design principle where components have little or no knowledge of the internal workings of other components, typically achieved through messaging queues like SQS.
  • Application Load Balancer (ALB): A Layer 7 load balancer that routes traffic based on content such as URL paths or host headers.
  • Network Load Balancer (NLB): A Layer 4 load balancer capable of handling millions of requests per second with ultra-low latency.
  • NAT Gateway: A managed service that allows instances in a private subnet to connect to the internet while preventing the internet from initiating a connection with those instances.
  • Microservices: An architectural style that structures an application as a collection of small, autonomous services modeled around a business domain.

The "Big Idea"

The core philosophy of multi-tier architecture is Defense in Depth and Separation of Concerns. By isolating the database from the web server and placing the application logic in between, you limit the "blast radius" of security breaches and allow each component to scale independently. It transforms a fragile, single-point-of-failure system into a resilient fleet that can survive individual instance or AZ failures.

Formula / Concept Box

ConceptOSI LayerPrimary Use Case
Application Load BalancerLayer 7HTTP/HTTPS traffic, Path-based routing, Microservices
Network Load BalancerLayer 4TCP/UDP traffic, Extreme performance, Static IPs
Gateway Load BalancerLayer 3Third-party virtual appliances (Firewalls, IDS/IPS)
Public SubnetN/AResources that must be reachable from the internet (e.g., Load Balancers, Bastion Hosts)
Private SubnetN/AResources that should NOT be reachable from the internet (e.g., DBs, App Servers)

Hierarchical Outline

  1. Foundational Networking
    • VPC Segmentation: Using multiple subnets to segment resources for security.
    • IP Planning: Leaving room for growth in subnets for ELB interfaces and EC2 scaling.
  2. The Three-Tier Model
    • Web/Presentation Tier: Public-facing, handles incoming user requests.
    • Application/Logic Tier: Private, processes business logic.
    • Data Tier: Private, stores relational or NoSQL data.
  3. Connectivity & Security
    • External Connectivity: Internet vs. Direct Connect (consistent latency/high speed).
    • Security Controls: WAF at the perimeter, Security Groups at each tier.
  4. Resilience & Scaling
    • High Availability: Deploying across multiple AZs.
    • Decoupling: Using SQS to bridge tiers and handle traffic spikes.

Visual Anchors

Typical 3-Tier Traffic Flow

Loading Diagram...

Network Topology with Subnetting

\begin{tikzpicture}[node distance=2cm] \draw[thick] (0,0) rectangle (8,6); \node at (4,5.7) {VPC};

% Public Subnet \draw[fill=blue!10] (0.5,3.5) rectangle (7.5,5.2); \node at (4,4.9) {Public Subnet}; \node[draw, fill=white] (ALB) at (4,4.2) {ALB};

% Private Subnet 1 \draw[fill=green!10] (0.5,1.8) rectangle (3.5,3.2); \node at (2,2.9) {App Private Subnet}; \node[draw, fill=white] (EC2) at (2,2.4) {EC2 Instances};

% Private Subnet 2 \draw[fill=red!10] (4.5,1.8) rectangle (7.5,3.2); \node at (6,2.9) {DB Private Subnet}; \node[draw, fill=white] (RDS) at (6,2.4) {RDS Database};

% Arrows \draw[->, thick] (4,6.5) -- (ALB); \draw[->] (ALB) -- (EC2); \draw[->] (EC2) -- (RDS); \end{tikzpicture}

Definition-Example Pairs

  • Path-Based Routing: Routing requests to different backend services based on the URL path.
    • Example: example.com/api routes to an API microservice, while example.com/images routes to a static content server.
  • Loose Coupling via SQS: Separating components so they communicate via a message queue rather than direct API calls.
    • Example: An order processing system where the web server places an order in SQS, and a background worker picks it up. If the worker fails, the order remains safe in the queue.
  • Direct Connect: A dedicated network connection from on-premises to AWS.
    • Example: A financial institution pushing terabytes of data daily that requires consistent 10 Gbps latency not achievable over the public internet.

Worked Examples

Scenario: Architecting a Highly Available Web Application

Goal: Build a system that can survive the loss of an entire Availability Zone.

  1. Step 1: VPC Setup: Create a VPC with two public subnets and four private subnets spread across two AZs (AZ-A and AZ-B).
  2. Step 2: Load Balancing: Deploy an Application Load Balancer in the public subnets of both AZs.
  3. Step 3: Compute Tier: Launch EC2 instances in an Auto Scaling Group across the private subnets in both AZs. Configure the ASG to maintain a minimum of 2 instances.
  4. Step 4: Data Tier: Provision an Amazon RDS instance with Multi-AZ enabled. This creates a primary DB in AZ-A and a synchronous standby in AZ-B.
  5. Step 5: Security: Apply a Security Group to the ALB allowing port 443 from 0.0.0.0/0. Apply a Security Group to the EC2 instances allowing port 80 only from the ALB's Security Group.

Checkpoint Questions

  1. Which OSI layer does the Application Load Balancer operate on, and what routing feature does this enable?
  2. Why is it recommended to place database instances in a private subnet instead of a public one?
  3. If you require ultra-low latency and static IP addresses for your application, which load balancer should you choose?
  4. What is the primary benefit of using Amazon SQS between your web and application tiers?
  5. How do you ensure that instances in a private subnet can still download security patches from the internet?
Click to see answers
  1. Layer 7 (Application); it enables host-based and path-based routing.
  2. To enhance security by ensuring the database has no direct route from the public internet.
  3. Network Load Balancer (NLB).
  4. Loose coupling; it allows the tiers to scale independently and ensures messages are not lost if the consumer tier is temporarily unavailable.
  5. By using a NAT Gateway located in a public subnet.
All AWS Certified Solutions Architect - Associate (SAA-C03) Study Resources

Ready to study AWS Certified Solutions Architect - Associate (SAA-C03)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free