Getting Started - High Availability
#Aim of this Article
In the previous article (here) an EC2 Windows virtual machine was created with PowerUser permissions, not Root or Administrator. Reducing the privileges of the management account did cause a few issues which required resolving, the benefit is preventing the day-to-day AWS management account from accessing other user accounts and account policy.
The first Windows vm instance is destined to be a Web Server, just for fun I'm resurrecting my 15+ year old website, that was hosted at home on a Dell Optiplex 733Mhz running OpenSuse and Apache.
Back to 2022 and AWS, the website will be hosted on a single Web Server from a single Availability Zones (AZ's). To provide resilience in the event of a server or AZ failure or uptick in the site's popularity Auto Scaling Groups will be configured. Load balancing will be deployed to direct traffic to the live instance or balance the traffic between multiple live instances. The Load balancer will also provide a common DNS name to access the site.
A quick recap of the Windows Server setup. The Windows EC2 instance was created from an AWS AMI, RDP was enabled for remote access. The 15+ year website content was copied over RDP with IIS being installed and configured to point at Index.htm.
Before starting a summary of each feature referenced during the setup.
#Amazon Machine Image (AMI)
An AMI is a template used as a baseline to quickly customize and deploy virtual machines. AWS Free Tier provides various flavours of Windows, Linux and MAC. There are commercial offerings from trusted 3rd parties in the AMI AWS Marketplace. Not content with the offerings? Create your own customized image by creating an EC2 Instance, installing and configuring applications etc and converting it back to an AMI. This is particularly useful when there are hundreds of servers to deploy and manage that share the same configuration.
A Launch Template specifies an AMI, a key pair and a Security Group for the configuration EC2 instanced created by the Auto Scaling Groups.
Auto Scaling Groups flex EC2 instances based on performance and health requirements ensuring the desired capacity is maintained. Auto Scaling Groups can span multiple AZ's for site tolerance.
Target Groups route requests to registered targets, those being the instances that the Auto Scaling group creates. Listeners from Elastic Load Balancer forward traffic to the Target Group.
An Elastic Load Balancer provides Application, Network and Gateway distribution of incoming traffic to singular or multiple instances or virtual applications in one or more Availability Zones. When incoming traffic matches the listener rules the traffic is forwarded to the Target Group.
Security Groups are the firewall rules. The Launch Template with the EC2 reference configuration requires a SG rule to allow incoming traffic from the Load Balancer. The Load Balancer requires its own SG to allow incoming traffic from the Internet.
Let's get started.....
#Create an AMI Image
Login to AWS Management Console as the PowerUser and go to EC2 Dashboard.
An AMI is required and can be created from the previously configured Windows image listed under instances.
Browse to Instances and select the Windows instance, then 'Actions', 'Image and Templates', 'Create Image'.
Provide a meaningful image name.
Complete the wizard and return to the EC2 Dashboard.
Browse to near the bottom of the EC2 Dashboard and select 'Load Balancer' from under the Load Balancing heading.
Click on 'Create Load Balancer'.
Select 'Application Load Balancer' for HTTP.
Provide a meaningful Load Balancer Name.
Select 'Internet-facing' and IPv4.
Note: Prefix names with LB for Load Balancer or ASG for Auto Scaling Group etc. Life is easier with a naming convention especially when referencing and searching for a service or group in amongst hundreds of such services.
There is only one VPC and should be selected by default.
I'm staying with US-East-1A and US-East-1B AZ's, select two or more regions that will host the Load Balancer.
Free Tier provides 750 hours and 15 Load Balancer Capacity Units (LCUs) which relate to number of connections per second and the length of connection. Ten AZ's hosting the Load Balancer provides 75 hours of run time before additional charges apply, where as two AZ's provide 375 hours of run time.
#Load Balancer Security Group
Click on 'Create New Security Group', another browser tab will open.
Remove the default Security Group.
The Security Group aka Firewall requires allowing inbound HTTP traffic from the Internet to the Load Balancer.
Name the Security Group 'SG-LB-Web-Internet'.
Add a description.
Add an Inbound rule for HTTP and select 'Anywhere-IPv4' as the Source.
At the bottom of the page click 'Create Security Group'.
Return to the Load Balancer configuration tab.
Click on the 'Refresh' button next to Security Groups.
Start typing the name of the new SG, it will filter the names of available SG's, select the correct SG.
Scroll down to 'Listeners and Routing', select 'Create Target Group'.
Again, another browser tab will open.
Leave the default 'Instances', the plan is to deploy EC2 Auto Scaling Groups.
Give the Target Group a name of 'TG-LB-Web-Internet' and select HTTP1.
Review the Health Checks by maximizing the 'Advanced Health Check Settings', then click 'Next'.
Don't add any Registered Targets, targets are dynamically added by the Auto Scaling Group when new instances are created.
Review the Summary page and click on 'Create Load Balancer'.
Browse to Launch Templates in the EC2 Dashboard and select 'Create Launch Template'.
Name the Launch Template something meaningful, maintain the naming standards by typing 'LT' for the first 2 characters.
Add a Template Version Description.
Scroll down to 'Applications and OS Images', selecting 'My AMIs' and the AMI (AMI-Windows-IIS) created earlier.
Select the dropdown on the 'Instance Type'.
Choose the 'Free Tier Eligible' 1vCPU with 1GiB Memory.
Select the 'Key Pair (Logon)' created during the 'Getting Started - AWS EC2 Virtual Machine' article.
Don't include any 'Network Settings', these will be provided dynamically, and are dependant on the AZ and Auto Scaling Group deployment.
Select 'Create Security Group', this is to allow HTTP traffic between the EC2 instances (Windows IIS Servers) and the Load Balancer.
Add a meaningful name 'SG-LT-Web-Internet'.
Add a Description, its required.
Select 'HTTP' from 'Type Info'.
Start typing 'SG' in the 'Source Info' box and select 'SG-LB-Web-Internet'.
Leave the Storage with the default 30Gb.
Review the Launch Template settings, click 'Create Launch Template'.
Excellent, successfully created.
#Auto Scaling Groups
At the very bottom of the Ec2 Dashboard, select 'Auto Scaling Groups'.
Select 'Create Auto Scaling Group'.
Following the naming standard, name the Auto Scaling Group Name 'AS-Web-Internet'.
Select the Launch Template 'LT-Windows-Web-Internet'.
Add 'US-East-1A' and 'US-East-1B' Availability Zones (AZs) from the drop down.
Select 'Attach to an Existing Load Balancer' option.
Select 'Choose from your Balance Target Groups'.
In the 'Existing Load Balancer Target Groups' type the name of the Target Group 'TG-LB-Web-Internet'.
Hit Refresh if the Target Group is not initially listed.
Enable 'ELB' health checks.
Group Size controls the number of EC2 instances that will be maintained, kept alive.
One instance should be kept active at all times, with a maximum of 2.
Note: In production the desired capacity would be 2, minimum capacity would also be 2.
Select 'Target Tracking Scaling Policy', this is optional and can be skipped.
I've set a fairly high cpu of 80%, once breached an additional EC2 instance is deployed.
Click 'Next' for 'Add Notifications'.
Click 'Next' for 'Add Tags'.
Review all the settings and click on 'Create Auto Scaling Groups'
From the EC2 Dashboard browse to 'Instances'.
A new instance will be created and after a few minutes the 'Instance State' will update to 'Running'.
From the EC2 Dashboard browse to 'Load Balancers'.
Copy the Internet accessible DNS name of the Load Balancer.
Open a new browser tab and paste the DNS Name....
Excellent my of 15+ year old website......
Terminate the instance and few minutes later a new instance is up and running and service has been restored.
Setting up a Load Balanced, Auto Scaled Web Server that's resilient to outages demonstrates the ease of AWS and Cloud. The initial cost is nothing, clearly, there's an ongoing cost once the Free Tier expires or certain usage levels are breached.
The alternative, old school infrastructure, the upfront costs would be considerable. The time to delivery could be months.....
As this is Free Tier the Load Balancers, and Auto Scaling Groups have been torn down and deleted. This is straightforward, the instances take a while to disappear and the Snapshots from the Elastic Block Store require manual intervention to remove.
Thanks for your time, hope the article proves useful, and any feedback is gratefully received via 'Contact Me' on the home page. It's time for some well earned rest and frustrations playing Elden Ring......wish me luck