Thank you

Hi John, Thanks for reaching out. draw.io is the tool used in this video.

Hi John, Thank you for your feedback and watching my videos. Instead of using ELBs I used Application Load Balancers (ALBs) in this scenario assuming that both application tier and web tier components are serving TCP layer 7 traffic only. When you have multiple app and web tier components you don’t need to create multiple ALBs as it supports host and path based routing. If your application is operating in TCP layer 4, you can to use ELBs and you need UDP as well you have to use NLBs. For database I didn’t use the load balancers assuming that RDS is used for the database. As it is a managed service, even when you have multiple DB replicas you don’t need to create your own load balancers on top of that. RDS service will create and provide you the database cluster url. If you are deploying your database on top of multiple EC2s, yes you may need a load balancer for the DB tier as well. In terms of bastion, I didn’t consider any high availability. It was used only to access private components in the application portfolio. So didn’t use a load balancer for bastion. I hope you are clear now. I wanted to show end to end decision making process in designing your VPC and all granular configurations. Take that experience to design your application’s VPC in the way mostly suited for it. Cheers!!!

Hi John, It is good to hear that you tried the multi-tier VPC design. First of all, ALB can send the traffic to your tomcat on port 8080. You don't need to change the iptables for this. - First check whether Tomcal 8080 is up and accessible. You can SSH to a public/bastion EC2 and again SSH to your tomcat server in app subnet. Check whether you can curl to tomcat on 8080. - ALB can have the listener on http(80). Make sure your listener is mapped to your Target Group. - In Target Group, provide HTTP and 8080 for the protocol and port. Configure health checks to your health endpoint or can simply use root location as well for testing. Make sure your tomcat servers are mapped to the target group. Check the registered targets health status. If it is unhealthy, you need to troubleshoot and fix. - Then from bastion or web server, try to access {YOUR_ALB_DNS}. - Double check security groups as well. If the spinning wheel comes, usually it is because of Security Groups. * Web Server security group should have egress rule to allow port 80 traffic to ALB security group. * ALB security group should have ingress rule to allow port 80 traffic from web server secutity group. * ALB security group should have egress traffic to allow port 8080 traffic to app server security group. * App server security group should have ingress traffic to allow port 8080 traffic from ALB security group. Good Luck !!!

Hi again. Thank u. Yes all works well. I followed your entire design. Yes I can curl the alb and it hits tomcat and returns the contents of the index.html page just fine. The only issue is when I create a simple web page on the web server with a link (tomcat link to the alb like I did in curl it does not report anything back. I'm thinking it's my web page design may be wrong. I think it does not have code to show what's returned. I probably need to create a jsp page on tomcat and proper web page with form action on it. I'm not an html guy. I design infrastructure. I guess I'm trying to create an easy way to test all my designs. Your design only allows port 80, 443 ( because of alb) access to the app-sn and port 22 from bastion server. I also cannot find a way to connect eclipse or intellij to the tomcat servers behind the alb? Unless I open up more ports or adjust the security group temporally? She'd some light with how u do it?

You can tunnel the app alb port 80 to your laptop some desired port (ex:8080) through bastion server using ssh tunnelling. When the tunnel is established eclipse can access the tomcat services through localhost:8080 Read this: www.ssh.com/academy/ssh/tunneling/example

Thanks Damith 👍🏻