AWS Best Practices: Components of the 3-Tier Architecture

While an infrastructure can, in theory, have any number of tiers, by far the most common pattern is the 3-tier architecture. 

This article describes:

• Public and private subnets
• Components in each layer of the 3-tier infrastructure
• Simplified diagrams of a common 3-tier infrastructure
• New AWS features that improve performance and security
   

Public and Private Layers

The 3-tier design separates an infrastructure into three layers: one public and two private layers. 

1. Public layer: This presentation tier is where the application’s endpoint lives, and where a user is presented with information. 
2. Private layer: logic tier, which contains code to translate user actions to a functionality.
3. Private later: data tier, which hosts the databases.

Anything in the public layer is publicly accessible, but all other content and code in the private layers is only accessible from inside the network.

For example, a user’s browser sends a request to the public tier by clicking a link on a webpage, and the request gets forwarded to the other tiers as needed to present the requested webpage or file to the user. In this tiered design, the goal is for the public layer to act as a shield to the private layers. 

Another goal of using the 3-tier network architecture is to create high availability, which you can achieve with AWS by distributing your application across multiple Availability Zones. Each Availability Zone is a physical data center in a different geographic location.
 

3-Tier Network Architecture on AWS

Here we’ll discuss a best practice example of splitting the network across three Availability Zones. Having three zones gives you high availability and redundancy, which ensures your application’s availability should an outage or other unexpected circumstance occur. Your application would not be affected because traffic would flow to the other two Availability Zones.

To split the AWS network architecture into three tiers and across three Availability Zones, you’d have the following 9 subnets:

1.  Public layer: 3 public subnets, one on each Availability Zone
2.  Application layer: 3 private subnets, one on each Availability Zone
3.  Database layer: 3 private subnets, one on each Availability Zone

For our example, we’ve simplified the diagram by showing only two Availability Zones (instead of three). 

Image 1: Subnet diagram showing 3 tiers x 2 Availability Zones in the AWS VPC diagram (we intentionally show only 2 zones to simplify the diagram).
 

Detailed Breakdown of Public and Private Subnets 

Understanding the roles and configurations of public and private subnets is crucial for effectively implementing the 3-tier network architecture. The main feature that makes a subnet "public" or "private" is how instances in that subnet access the internet. 

Public Subnets: Gateways to the Internet
Instances/resources in a public subnet have access to and are accessible from the internet.

• Internet Gateway (IGW): Public subnets allow its instances to access the internet via an Internet Gateway. This allows resources like Application Load Balancers (ALBs) to be directly accessible from the internet, enabling users to interact with your application.
• NAT Gateway: Although instances within a public subnet can access the internet, they can also route traffic to private subnets via a NAT Gateway. This configuration is particularly useful for hybrid setups where some resources need to access the internet for updates or external API calls without exposing your entire infrastructure. 

Private Subnets: Securing the Core Infrastructure
A private subnet allows its instances to access the internet via Amazon's managed NAT service (NAT Gateway), which is managed by AWS and scales out as needed. Access to the internet (when permitted) is only one-way, originating from within the subnet.

• Managed NAT Service: Instances within private subnets are protected from direct internet exposure. When these instances need to access the internet (e.g., to download updates or communicate with external APIs), they do so through a NAT Gateway located in the public subnet. This ensures that outbound traffic is secure and controlled.
• Security Groups and Network ACLs: To further enhance security, AWS Security Groups and Network Access Control Lists (ACLs) are used to tightly control the inbound and outbound traffic. Security Groups act as virtual firewalls for your instances, while Network ACLs provide an additional layer of stateless filtering at the subnet level.
   

What Goes in Each of the Layers

Public Layer

The public (top) layer hosts an internet-facing Application Load Balancer (ALB), which is the entry point for your application, directing traffic to your application servers.

Our diagram only shows one instance of the ALB, and you will only see one in the AWS console. Behind the scenes, however, AWS provisions multiple instances of the ALB based on which Availability Zones have EC2 instances behind that load balancer. 

Having the ALB in all zones provides:

• High availability and redundancy in case an entire Availability Zone is unavailable. 
• Protection in case of a Distributed Denial of Service (DDoS) attack. The ALB minimizes the impact by scaling up to handle an influx of requests (sometimes millions per second), distributing requests across many instances, and increasing the target footprint.

Also running in the public layer is AWS Sessions Manager, which allows you to connect to your application servers (or any other servers in the private subnets), via SSH.

Application Layer

The second layer is where your application servers live and where all resources/components are hosted. In this example we’ve wrapped our application server with an AutoScale Group. This enables our application to scale up if additional servers are needed or to recover if one Availability Zone is out of service. If an entire Availability Zone is out of service, the load balancer recognizes the outage and scales up in a different zone.

Database Layer

The third layer is the database layer, where only data resources are housed. The only way to access these databases is by connecting to them from the application layer.

In our example, we use Amazon's Relational Database Service (RDS) which is a managed database service provided by Amazon. Advantages of using RDS are:

• A failover database instance in a separate Availability Zone. 
• One or more read-only RDS instances to take some of the load off the main database.

Image 2: The 3-tier network architecture showing Application Load Balancer (ALB), NAT Gateways, Sessions Manager, application servers and databases. Note: we simplified the diagram by displaying only 2 Availability Zones instead of 3.
 

New AWS Features Available

AWS regularly releases new tools and services that support the 3-tier architecture model. These updates are focused on improving performance, security, scalability, and management, helping businesses address evolving needs and challenges.

Below are key AWS features that enhance a 3-tier network architecture. We've highlighted the main benefit of each tool and provided a sample use case.
 

CloudShell: A browser-based shell that allows you to run commands for your AWS resources directly from the AWS Console without needing to install additional software or manage credentials on local machines.

• Use Case: Accomplish quick, ad-hoc tasks such as deploying scripts, querying data, and managing resources across different layers of your 3-tier architecture.
• Security: Operates within your AWS environment, leveraging existing IAM roles and policies to ensure that access is controlled and secure.

VPC Endpoints: Enable secure, private connections between your Virtual Private Cloud (VPC) and supported services without requiring an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect. This feature enhances security by keeping traffic within the AWS network, reducing the risk of exposure to the public internet.

• Types of VPC Endpoints:
  • Interface Endpoints: Use elastic network interfaces (ENIs) with private IP addresses in your VPC to connect to services like Amazon S3, DynamoDB, and others.
  • Gateway Endpoints: Use your VPC's route tables to direct traffic to supported services without traversing the public internet.
• Use Case: Securely connect your application and data layers with AWS services such as S3 for data storage or DynamoDB for fast, scalable databases, all while maintaining data within your private network.

Network Load balancers (NLBs): Automatically distribute your incoming traffic so you can handle millions of requests per second while maintaining ultra-low latencies. NLBs operate at the connection level (Layer 4), routing incoming traffic to targets such as EC2 instances, microservices, and containers within your VPC.

• Use Case: Deploy in the public layer to handle large volumes of incoming traffic, particularly in scenarios requiring high throughput and low latency, such as real-time gaming or financial trading platforms.
• Resilience: Automatically scales to handle fluctuations in traffic, ensuring that your application remains highly available even during traffic spikes.

VPC IP Address Manager (IPAM): Simplifies IP address management within your AWS environment. IPAM helps you plan, track, and monitor IP addresses across multiple VPCs, ensuring that you have a clear view of your IP utilization and can avoid conflicts.

• Use Case: For complex 3-tier architectures spanning multiple VPCs and regions, IPAM ensures efficient use of IP space and helps prevent overlapping IP addresses, which can cause connectivity issues.
• Automation: Integrates with AWS CloudFormation, allowing you to automate IP address allocation during the deployment of new resources, further streamlining network management.

Egress-only Internet Gateway: A horizontally scaled, redundant, and highly available VPC component that allows outbound-only communication over IPv6 from instances in your VPC to the internet. This is particularly useful for environments where you need to prevent inbound connections while still allowing outbound traffic.

• Use Case: Enabled in private subnets to secure outbound internet access for instances that need to update software or communicate with external APIs, without exposing them to inbound traffic risks.
• Compliance: Relevant for industries with strict security and compliance requirements, such as healthcare and finance, where controlling data flow is critical.

VPC Network Reachability Analyzer: A network diagnostics tool that troubleshoots and validates the reachability between two endpoints in a VPC, or within multiple VPCs. 

• Use Case: When deploying a 3-tier architecture across multiple AZs or VPCs, the Reachability Analyzer ensures that all components are properly connected, avoiding potential downtime or performance bottlenecks.
• Detailed Insights: Provides detailed path analysis, showing how traffic flows through your network and identifying any misconfigurations that might prevent connectivity.

Network Access Analyzer: Identifies unintended network access to your resources. This powerful tool provides a comprehensive view of your network's security posture by analyzing and flagging potential vulnerabilities or misconfigurations that could expose your resources to unauthorized access.

• Use Case: Ensures that the boundaries between public and private layers are secure, preventing accidental exposure of sensitive resources like databases or application servers.
• Proactive Security: By regularly running analyses, you can proactively identify and remediate security risks, ensuring that your infrastructure remains compliant with security best practices and industry regulations.

AWS Firewall Manager: A security management tool that allows you to centrally configure and manage firewall rules across your AWS accounts. This helps simplify the administration of security policies, particularly in large, multi-account environments.

• Use Case: Enforce consistent security policies across all tiers, ensuring that your network is protected from threats and that compliance requirements are met.
• Scalability: As your application grows, Firewall Manager scales with your infrastructure, allowing you to maintain a robust security posture without manual intervention. 

Learn more about AWS Security Essentials in this on-demand webinar with AWS >>
 

Security Best Practices in the AWS 3-Tier Network Architecture

Security is a foundational principle that guides the design of each layer—presentation, application, and database. The structure itself is intended to compartmentalize and protect each component, ensuring that potential threats are isolated and managed effectively. Here we highlight key security features to implement at each layer to ensure your overall security posture.
 

Public Layer Security

AWS Shield and WAF: To protect against Distributed Denial of Service (DDoS) attacks, AWS Shield provides always-on detection and mitigation. Additionally, AWS WAF can be configured to filter and block malicious traffic before it reaches your application.
 

Application Layer Security

Security Groups: Assign specific security groups to your application servers to control the traffic that is allowed to reach them. For example, you can restrict access to this tier so that it only accepts requests from the ALB and the data tier.
 

Data Layer Security

Encryption: AWS provides multiple encryption options for securing data at rest and in transit. For example, RDS supports encryption using AWS Key Management Service (KMS). Encrypting data in transit, however, requires careful planning to balance security and performance. Typically, encryption in transit is terminated at a point where the data enters your network, usually at the CDN (CloudFront) or at the load balancer.

Backup and Recovery: Implement regular backups of your databases using AWS Backup or RDS automated backups. These backups can be stored across multiple AZs, ensuring that your data is recoverable even in the event of a disaster.
 

Conclusion

The AWS 3-tier network architecture is a powerful and flexible solution that can be tailored to meet the specific needs of your company. Whether it’s handling the high traffic, securing transactions, or ensuring availability of data, this architecture offers the scalability, security, and reliability needed to solve real-world challenges. By following AWS networking best practices, you optimize your operations and ultimately provide better services to your customers.

At Stratus10, we take your company’s current environment and applications into account to design an infrastructure that meets your goals now and in the future. We always use AWS best practices when designing an infrastructure, including this 3-tier pattern, because it provides multiple levels of security, scalability, high availability, and redundancy.