Lab: Re-architecting Legacy Workloads to AWS Managed Services
Determine a new architecture for existing workloads
Lab: Re-architecting Legacy Workloads to AWS Managed Services
This lab guides you through the process of modernizing a legacy three-tier application architecture. You will move from a conceptual "on-premises" virtual machine model to a modern, managed AWS architecture using Amazon ECS (Fargate) for compute and Amazon RDS for the database layer.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges. Estimated costs are minimal if deleted within the hour.
Prerequisites
Before starting this lab, ensure you have:
- An AWS Account with administrative access.
- AWS CLI installed and configured (
aws configure). - Basic familiarity with Docker concepts and VPC networking.
- A default VPC in your region (standard for new accounts).
Learning Objectives
By the end of this lab, you will be able to:
- Select and Provision the appropriate managed database platform (Amazon RDS).
- Architect and Deploy a containerized compute workload using AWS Fargate.
- Implement Security Groups to enforce the principle of least privilege between tiers.
- Evaluate Migration Strategies (Replatforming vs. Rearchitecting) based on workload requirements.
Architecture Overview
We are moving from a single-server monolith to the following cloud-native architecture:
Architectural Decision Logic
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, fill=blue!10, text width=3cm, align=center, minimum height=1cm}] \node (start) {Existing Workload}; \node (eval) [below of=start] {Evaluate Requirements}; \node (managed) [below left of=eval, xshift=-1cm] {High Ops Overhead? \ \textbf{RDS / Fargate}}; \node (custom) [below right of=eval, xshift=1cm] {OS Customization? \ \textbf{EC2}}; \draw [->, thick] (start) -- (eval); \draw [->, thick] (eval) -| (managed); \draw [->, thick] (eval) -| (custom); \end{tikzpicture}
Step-by-Step Instructions
Step 1: Create Security Groups
We need two security groups: one for the application (Fargate) and one for the database (RDS).
# Create App Security Group
aws ec2 create-security-group --group-name app-sg --description "Security group for web app" --vpc-id <YOUR_VPC_ID>
# Create DB Security Group
aws ec2 create-security-group --group-name db-sg --description "Security group for database" --vpc-id <YOUR_VPC_ID>▶Console alternative
Navigate to
. Name them
app-sgand
db-sgrespectively.
[!TIP] Always authorize the App SG to talk to the DB SG on the database port (e.g., 3306) rather than using IP ranges.
Step 2: Provision the Managed Database (RDS)
We will use Amazon RDS (MySQL) to replace a self-managed on-premises database.
aws rds create-db-instance \
--db-instance-identifier brainybee-db \
--db-instance-class db.t3.micro \
--engine mysql \
--allocated-storage 20 \
--master-username admin \
--master-user-password Password123! \
--no-publicly-accessible▶Console alternative
Navigate to
. Choose
, "Free Tier" template, and ensure "Public Access" is set to
.
Step 3: Create an ECS Cluster and Fargate Service
This replaces the legacy VM-based compute with a managed container platform.
# Create Cluster
aws ecs create-cluster --cluster-name brainybee-modern-app
# Register Task Definition (Simplified example using nginx)
aws ecs register-task-definition \
--family web-app \
--network-mode awsvpc \
--requires-compatibilities FARGATE \
--cpu "256" \
--memory "512" \
--container-definitions '[{"name":"web","image":"nginx","portMappings":[{"containerPort":80,"hostPort":80}]}]'Checkpoints
- Database Availability: Run the following command. The
DBInstanceStatusshould eventually showavailable.bashaws rds describe-db-instances --db-instance-identifier brainybee-db --query "DBInstances[0].DBInstanceStatus" - Cluster Creation: Verify the cluster exists:
bash
aws ecs list-clusters | grep brainybee-modern-app
Troubleshooting
| Error | Likely Cause | Solution |
|---|---|---|
VpcIdNotSpecified | CLI not picking up default VPC. | Explicitly provide --vpc-id in commands. |
InvalidParameterValue | Password too simple for RDS. | Use alphanumeric + special chars (e.g., !). |
OperationInProgress | RDS is still creating. | Wait 5-10 minutes for provisioning. |
Challenge
Task: Update the architecture to use Amazon EFS (Elastic File System) for shared storage between Fargate tasks.
▶Show hint
- Create an EFS File System.
- Create EFS Mount Targets in your subnets.
- Update the ECS Task Definition to include a "volume" and "mountPoint".
Clean-Up / Teardown
Execute these commands in order to ensure all resources are deleted.
# 1. Delete RDS Instance (Skip snapshot to save time/cost)
aws rds delete-db-instance --db-instance-identifier brainybee-db --skip-final-snapshot
# 2. Delete ECS Cluster
aws ecs delete-cluster --cluster --cluster brainybee-modern-app
# 3. Delete Security Groups (Delete db-sg first, then app-sg)
aws ec2 delete-security-group --group-name db-sg
aws ec2 delete-security-group --group-name app-sgCost Estimate
| Service | Configuration | Estimated Cost (per hour) |
|---|---|---|
| Amazon RDS | db.t3.micro (MySQL) | ~$0.017 |
| AWS Fargate | 0.25 vCPU / 0.5 GB RAM | ~$0.012 |
| Data Transfer | Within AWS | Free |
| Total | <$0.03 / hour |
Concept Review
| Component | Legacy (On-Prem) | Modern (AWS Managed) | Why? |
|---|---|---|---|
| Compute | Bare Metal / VMs | ECS Fargate | Eliminates server patching and scaling management. |
| Database | SQL Server / Oracle | Amazon RDS | Automated backups, patching, and high availability (Multi-AZ). |
| Storage | SAN / NAS | Amazon S3 / EFS | Pay-per-use scaling without capacity planning. |