AWS Best Practices: Components of the 3-Tier Infrastructure

Tue, 03/15/2022 - 08:47

While an infrastructure can, in theory, have any number of tiers, by far the most common pattern is the 3-tier infrastructure. 

This article describes:

  • Public and private subnets
  • Components in each layer of the 3-tier infrastructure
  • Simplified diagrams of a common 3-tier infrastructure
  • New AWS features that improve performance and security

Public and Private Layers

The 3-tier design separates an infrastructure into 3 layers: one public and two private layers. 

The presentation tier, or public layer, is where the application’s endpoint lives, and where a user is presented with information. The private layer includes the logic tier, which contains code to translate user actions to a functionality, and the data tier, which hosts the databases. Anything in the public layer is publicly accessible, but all other content and code in the private layers is only accessible from inside the network.

For example, a user’s browser sends a request to the Public tier by clicking a link on a webpage, and the request gets forwarded to the other tiers as needed to present the requested webpage or file to the user. In this tiered design, the goal is for the public layer to act as a shield to the private layers. 

Another goal of using the 3-tier architecture is to create high availability, which you can achieve with AWS by distributing your application across multiple Availability Zones. Each Availability Zone is a physical data center in a different geographic location.

 Here we’ll discuss a best practice example of splitting the network across 3 availability zones. Having 3 zones gives you high availability and redundancy, which ensures your application’s availability should an outage or other unexpected circumstance occur. Your application would not be affected because traffic would flow to the other 2 availability zones.

To split a network into 3 tiers and across 3 availability zones, you’d have the following 9 subnets:

  1.  Public Layer: 3 public subnets, one on each Availability Zone
  2.  Application Layer: 3 private subnets, one on each Availability Zone
  3.  Database Layer: 3 private subnets, one on each Availability Zone

For our example, we’ve simplified the diagram by showing only 2 availability zones (instead of 3). 

3-tier infrastructure on AWS


Image 1: Subnet diagram showing 3 tiers x 2 availability zones (we intentionally show only 2 zones to simplify the diagram).

The difference between public and private subnets

The main feature that makes a subnet "public" or "private" is how instances in that subnet access the internet. A public subnet allows its instances to access the internet via an Internet Gateway. A private subnet, on the other hand, allows its instances to access the internet via Amazon's managed NAT service (NAT Gateway), which is managed by AWS and scales out as needed. Additionally, instances/resources in a Public subnet have access to and are accessible from the internet. For the Private subnets, however, access to the internet (when permitted) is only one-way, originating from within the subnet.

What goes in each of the layers

Public Layer

The public (top) layer hosts an internet-facing Application Load Balancer (ALB), which is the entry point for your application, directing traffic to your application servers.

Our diagram only shows one instance of the ALB, and you will only see one in the AWS console. Behind the scenes, however, AWS provisions multiple instances of the ALB based on which availability zones have EC2 instances behind that load balancer. 

Having the ALB in all zones provides:

  • High availability and redundancy in case an entire availability zone is unavailable. 
  • Protection in case of a Distributed Denial of Service (DDoS) attack. The ALB minimizes the impact by scaling up to handle an influx of requests (sometimes millions per second), distributing requests across many instances, and increasing the target footprint.

Also running in the public layer is AWS Sessions Manager, which allows you to connect to your application servers (or any other servers in the private subnets), via SSH.

Application Layer

The second layer is where your application servers live and where all resources/components are hosted. In this example we’ve wrapped our application server with an AutoScale Group. This enables our application to scale up if additional servers are needed or to recover if one availability zone is out of service. If an entire availability zone is out of service, the load balancer recognizes the outage and scales up in a different zone.

Database Layer

The third layer is the database layer, where only data resources are housed. The only way to access these databases is by connecting to them from the application layer.

In our example, we use Amazon's Relational Database Service (RDS) which is a managed database service provided by Amazon. Advantages of using RDS are:

  • A failover database instance in a separate availability zone. 
  • One or more read-only RDS instances to take some of the load off the main database.

3-tier infrastructure on AWS

Image 2: The 3-tier architecture showing Application Load Balancer (ALB), NAT Gateways, Sessions Manager, application servers and databases. Note: we simplified the diagram by displaying only 2 availability zones instead of 3.

New AWS Features Available

Since this structure was first established, AWS has provided numerous new tools and options to make your architecture even more reliable, available, scalable and secure. 

Our example demonstrates the use of NAT Gateways and Sessions Manager. Other newer AWS features include:

  • CloudShell - A browser-based shell that allows you to run commands for your resources.
  • VPC Endpoints - Enables connections between a virtual private cloud (VPC) and supported services, without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
  • Network Load balancers - Automatically distribute your incoming traffic across multiple targets.
  • VPC IP Address Manager - Makes it easier for you to plan, track, and monitor IP addresses for your workloads.
  • Egress-only Internet Gateway - A horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet.
  • VPC Network Reachability Analyzer - A network diagnostics tool that troubleshoots reachability between two endpoints in a VPC, or within multiple VPCs.
  • Network Access Analyzer - Identifies unintended network access to your resources.
  • AWS Firewall Manager - Simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections. 

At Stratus10, we take your company’s current environment and applications into account to design an infrastructure that meets your goals now and in the future. We always use AWS best practices when designing an infrastructure, including this 3-tier pattern, because it provides multiple levels of security, scalability, high availability, and redundancy.

For more AWS Best Practices, read about Tagging or see Amazon's white paper on architecture best practices.

About Stratus10 

Stratus10 helps companies migrate their infrastructure and applications to the cloud and implement best practices for continuous innovation. Stratus10 specializes in migration services, DevOps Automation, and Application Modernization to help clients take full advantage of the latest services from AWS. 

Get in touch with a cloud expert today to discuss how Stratus10 can help!
Call us at 619.780.6100
Send us an email at
Send us a message by filling out our Contact Form
Read our Customer Case Studies

Newsletter Sign Up