Lab: Re-architecting Legacy Workloads to AWS Managed Services

This lab guides you through the process of modernizing a legacy three-tier application architecture. You will move from a conceptual "on-premises" virtual machine model to a modern, managed AWS architecture using Amazon ECS (Fargate) for compute and Amazon RDS for the database layer.

[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges. Estimated costs are minimal if deleted within the hour.

Prerequisites

Before starting this lab, ensure you have:

An AWS Account with administrative access.
AWS CLI installed and configured (aws configure).
Basic familiarity with Docker concepts and VPC networking.
A default VPC in your region (standard for new accounts).

Learning Objectives

By the end of this lab, you will be able to:

Select and Provision the appropriate managed database platform (Amazon RDS).
Architect and Deploy a containerized compute workload using AWS Fargate.
Implement Security Groups to enforce the principle of least privilege between tiers.
Evaluate Migration Strategies (Replatforming vs. Rearchitecting) based on workload requirements.

Architecture Overview

We are moving from a single-server monolith to the following cloud-native architecture:

Loading Diagram...

Architectural Decision Logic

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Step-by-Step Instructions

Step 1: Create Security Groups

We need two security groups: one for the application (Fargate) and one for the database (RDS).

bash

# Create App Security Group
aws ec2 create-security-group --group-name app-sg --description "Security group for web app" --vpc-id <YOUR_VPC_ID>

# Create DB Security Group
aws ec2 create-security-group --group-name db-sg --description "Security group for database" --vpc-id <YOUR_VPC_ID>

▶Console alternative

Navigate to

VPC > Security Groups > Create Security Group

. Name them

app-sg

and

db-sg

respectively.

[!TIP] Always authorize the App SG to talk to the DB SG on the database port (e.g., 3306) rather than using IP ranges.

Step 2: Provision the Managed Database (RDS)

We will use Amazon RDS (MySQL) to replace a self-managed on-premises database.

bash

aws rds create-db-instance \
    --db-instance-identifier brainybee-db \
    --db-instance-class db.t3.micro \
    --engine mysql \
    --allocated-storage 20 \
    --master-username admin \
    --master-user-password Password123! \
    --no-publicly-accessible

▶Console alternative

Navigate to

RDS > Databases > Create database

. Choose

MySQL

, "Free Tier" template, and ensure "Public Access" is set to

Step 3: Create an ECS Cluster and Fargate Service

This replaces the legacy VM-based compute with a managed container platform.

bash

# Create Cluster
aws ecs create-cluster --cluster-name brainybee-modern-app

# Register Task Definition (Simplified example using nginx)
aws ecs register-task-definition \
    --family web-app \
    --network-mode awsvpc \
    --requires-compatibilities FARGATE \
    --cpu "256" \
    --memory "512" \
    --container-definitions '[{"name":"web","image":"nginx","portMappings":[{"containerPort":80,"hostPort":80}]}]'

Checkpoints

Database Availability: Run the following command. The DBInstanceStatus should eventually show available.
bash
aws rds describe-db-instances --db-instance-identifier brainybee-db --query "DBInstances[0].DBInstanceStatus"
Cluster Creation: Verify the cluster exists:
bash
aws ecs list-clusters | grep brainybee-modern-app

Troubleshooting

Error	Likely Cause	Solution
`VpcIdNotSpecified`	CLI not picking up default VPC.	Explicitly provide `--vpc-id` in commands.
`InvalidParameterValue`	Password too simple for RDS.	Use alphanumeric + special chars (e.g., `!`).
`OperationInProgress`	RDS is still creating.	Wait 5-10 minutes for provisioning.

Challenge

Task: Update the architecture to use Amazon EFS (Elastic File System) for shared storage between Fargate tasks.

▶Show hint

Create an EFS File System.

Create EFS Mount Targets in your subnets.

Update the ECS Task Definition to include a "volume" and "mountPoint".

Clean-Up / Teardown

Execute these commands in order to ensure all resources are deleted.

bash

# 1. Delete RDS Instance (Skip snapshot to save time/cost)
aws rds delete-db-instance --db-instance-identifier brainybee-db --skip-final-snapshot

# 2. Delete ECS Cluster
aws ecs delete-cluster --cluster --cluster brainybee-modern-app

# 3. Delete Security Groups (Delete db-sg first, then app-sg)
aws ec2 delete-security-group --group-name db-sg
aws ec2 delete-security-group --group-name app-sg

Cost Estimate

Service	Configuration	Estimated Cost (per hour)
Amazon RDS	db.t3.micro (MySQL)	~$0.017
AWS Fargate	0.25 vCPU / 0.5 GB RAM	~$0.012
Data Transfer	Within AWS	Free
Total		<$0.03 / hour

Concept Review

Component	Legacy (On-Prem)	Modern (AWS Managed)	Why?
Compute	Bare Metal / VMs	ECS Fargate	Eliminates server patching and scaling management.
Database	SQL Server / Oracle	Amazon RDS	Automated backups, patching, and high availability (Multi-AZ).
Storage	SAN / NAS	Amazon S3 / EFS	Pay-per-use scaling without capacity planning.

Lab: Re-architecting Legacy Workloads to AWS Managed Services

[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges. Estimated costs are minimal if deleted within the hour.

Prerequisites

Before starting this lab, ensure you have:

An AWS Account with administrative access.
AWS CLI installed and configured (aws configure).
Basic familiarity with Docker concepts and VPC networking.
A default VPC in your region (standard for new accounts).

Learning Objectives

By the end of this lab, you will be able to:

Select and Provision the appropriate managed database platform (Amazon RDS).
Architect and Deploy a containerized compute workload using AWS Fargate.
Implement Security Groups to enforce the principle of least privilege between tiers.
Evaluate Migration Strategies (Replatforming vs. Rearchitecting) based on workload requirements.

Architecture Overview

We are moving from a single-server monolith to the following cloud-native architecture:

Loading Diagram...

Architectural Decision Logic

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Step-by-Step Instructions

Step 1: Create Security Groups

We need two security groups: one for the application (Fargate) and one for the database (RDS).

bash

# Create App Security Group
aws ec2 create-security-group --group-name app-sg --description "Security group for web app" --vpc-id <YOUR_VPC_ID>

# Create DB Security Group
aws ec2 create-security-group --group-name db-sg --description "Security group for database" --vpc-id <YOUR_VPC_ID>

▶Console alternative

Navigate to

VPC > Security Groups > Create Security Group

. Name them

app-sg

and

db-sg

respectively.

[!TIP] Always authorize the App SG to talk to the DB SG on the database port (e.g., 3306) rather than using IP ranges.

Step 2: Provision the Managed Database (RDS)

We will use Amazon RDS (MySQL) to replace a self-managed on-premises database.

bash

aws rds create-db-instance \
    --db-instance-identifier brainybee-db \
    --db-instance-class db.t3.micro \
    --engine mysql \
    --allocated-storage 20 \
    --master-username admin \
    --master-user-password Password123! \
    --no-publicly-accessible

▶Console alternative

Navigate to

RDS > Databases > Create database

. Choose

MySQL

, "Free Tier" template, and ensure "Public Access" is set to

Step 3: Create an ECS Cluster and Fargate Service

This replaces the legacy VM-based compute with a managed container platform.

bash

# Create Cluster
aws ecs create-cluster --cluster-name brainybee-modern-app

# Register Task Definition (Simplified example using nginx)
aws ecs register-task-definition \
    --family web-app \
    --network-mode awsvpc \
    --requires-compatibilities FARGATE \
    --cpu "256" \
    --memory "512" \
    --container-definitions '[{"name":"web","image":"nginx","portMappings":[{"containerPort":80,"hostPort":80}]}]'

Checkpoints

Database Availability: Run the following command. The DBInstanceStatus should eventually show available.
bash
aws rds describe-db-instances --db-instance-identifier brainybee-db --query "DBInstances[0].DBInstanceStatus"
Cluster Creation: Verify the cluster exists:
bash
aws ecs list-clusters | grep brainybee-modern-app

Troubleshooting

Error	Likely Cause	Solution
`VpcIdNotSpecified`	CLI not picking up default VPC.	Explicitly provide `--vpc-id` in commands.
`InvalidParameterValue`	Password too simple for RDS.	Use alphanumeric + special chars (e.g., `!`).
`OperationInProgress`	RDS is still creating.	Wait 5-10 minutes for provisioning.

Challenge

Task: Update the architecture to use Amazon EFS (Elastic File System) for shared storage between Fargate tasks.

▶Show hint

Create an EFS File System.

Create EFS Mount Targets in your subnets.

Update the ECS Task Definition to include a "volume" and "mountPoint".

Clean-Up / Teardown

Execute these commands in order to ensure all resources are deleted.

bash

# 1. Delete RDS Instance (Skip snapshot to save time/cost)
aws rds delete-db-instance --db-instance-identifier brainybee-db --skip-final-snapshot

# 2. Delete ECS Cluster
aws ecs delete-cluster --cluster --cluster brainybee-modern-app

# 3. Delete Security Groups (Delete db-sg first, then app-sg)
aws ec2 delete-security-group --group-name db-sg
aws ec2 delete-security-group --group-name app-sg

Cost Estimate

Service	Configuration	Estimated Cost (per hour)
Amazon RDS	db.t3.micro (MySQL)	~$0.017
AWS Fargate	0.25 vCPU / 0.5 GB RAM	~$0.012
Data Transfer	Within AWS	Free
Total		<$0.03 / hour

Concept Review

Component	Legacy (On-Prem)	Modern (AWS Managed)	Why?
Compute	Bare Metal / VMs	ECS Fargate	Eliminates server patching and scaling management.
Database	SQL Server / Oracle	Amazon RDS	Automated backups, patching, and high availability (Multi-AZ).
Storage	SAN / NAS	Amazon S3 / EFS	Pay-per-use scaling without capacity planning.