# A 3-tier Architecture In VPC

**Purpose**

* To Implement a webserver and a MySQL in VPC
  * Create a VPC and attach it to 1 public Subnet and 1 private Subnet
  * Create a webserver in the public Subnet
  * Create a NAT Gateway/instance for all private Subnets in the VPC to get Internet traffic
  * Create a MySQL server in the private Subnet, and make it accessible under public Subnet only

**Steps**

* Create a VPC
  * Give VPC name, IPV4 CIDR block
  * Once created, a default Route Table, a default Network ACL, a default Security Group are given
* Create 2 Subnets (1 public Subnet and 1 private Subnet)
  * Give Subnet name, VPC ampping, AZ mapping, IPV4 CIDR block
  * Select the public Subnet -> Subnet Actions -> Modify auto-assign IP asettings -> Enable auto-assign IPV4 addresse
* Attach a Internet Gateway to VPC
  * Give Internet Gateway name
  * Attach it to the created VPC
* Create a custom Route Table
  * Give Route Table name, VPC mapping
  * Create a route out
    * Tab "Routes" -> Edit -> Add another route, add Destination: "0.0.0.0/0", Target: ${internet\_gateway\_name} -> save
  * Set Subnet association
    * Tab "Subnet Association" -> Edit -> Add Subnets associations -> choose 1 Subnet to make it public -> save
  * Not to modify the main Route Table directly is a practice for security. When creating new Subnets, they will be associated to the main Route Table.
* [Create a web server](https://ysfang82.gitbooks.io/development-notes/content/AWSNotesLab/running-ec2.html) in the public Subnet
  * At "Congifure Instance Details", to choose the custom VPC and Subnet
  * Create a Security Group for webserver
* Create a NAT, there are two ways:
  1. Create a NAT Gateway (recommended)
     * Create NAT Gateway under the public Subnet and create new EIP to get a dynamic IP
     * Select the main Route Table of the VPC -> tab Routes -> Edit -> to add Destincation: 0.0.0.0/0, Target: ${nat\_gateway}
  2. Create a NAT instance
     * Create EC2 instance with AMI in Community AMIs that filtered with keyword: nat 
     * Put it under public Subnet of the VPC, and specify a Security Group freely.
     * Once the instance is running, Actions -> Networking -> Change Source/Desc. Check to disable source/destination check
     * Select the main Route Table of the VPC -> tab Routes -> Edit -> to add Destincation: 0.0.0.0/0, Target: ${nat\_instance}
* Create a MySQL in the private Subnet
  * Create a Security Group
    * Give name, VPC mapping
    * Add Rule for SSH, MySQL/Aurora, All ICMP (for pinging), set source: ${public\_subnetc\_cidr}
    * Install MySQL

      ```
      $ yum install mysql -y
      ```