Friday, 18 May 2018

.Net on Elastic Beanstalk (AWS) with VPC

I have set about considering whether AWS is a decent alternative to Azure for cloud stuff. Azure is obviously more Windows and .net friendly but its virtual networking is pretty poor currently and I know that AWS has fairly decent VPC so I wondered if I could copy the basic infrastructure used on Azure for PixelPin but on AWS!

I started with an article here, although it is for RDS (relational data storage) and I wanted to use DynamoDB NoSQL so I decided to work through it and find out how to make it work.

There are some steps that are assumed before you can follow these instructions so we need to do these first and then mostly follow the linked article (the steps copied below):

First things

1) Allocate yourself an elastic IP address in the VPC panel -> Elastic IPs It should be of type VPC
2) Create a key pair for access to the virtual machines under EC2 panel -> Key Pairs saving the pem somewhere safe.
3) In IAM, create a ROLE for ElasticBeanstalk. You can choose the service from the list and accept the two beanstalk Policies. Give it a suitable name.
4) In IAM, create another ROLE for EC2. Select the policy AWSElasticBeanstalkService. Creating the EC2 role automatically creates an instance policy for later.

Create VPC

3) Go into the VPC panel, click VPC Dashboard on the left and press Start VPC Wizard
NOTE: The following notes are for a single private subnet but if you want high availability, you should choose 3 subnets, one for each availability zone in a region. This will allow the database nodes to be resilient to a single zone failure. The web servers will all need to be in the same zone as the load balancer however.
4) Select the template VPC with Public and Private Subnets on the left and press Select. This is a good default template that allows public entities like the Load balancer to be accessible from the internet but private servers like web instances to be hidden.
5) In the next page, give your VPC a useful name, the default IP allocations should be fine but ensure that the availability zone for the public and private subnet is the same by selecting one entry from the list.
6) In the Elastic IP Allocation ID field, select the elastic IP address you created earlier. If you forgot, open another browser tab and create the address in either EC2 or VPC panels then come back to this tab and click into the box again to refresh the list. If you can't see the elastic IP, then you created it to be classic instead of VPC, deallocate and allocate another one.
7) Leave the rest of the defaults and click Create VPC. Creation will take a few minutes

Security Groups

8) Create a new security group in the EC2 panel -> Security groups (you can reuse an existing one, but having one per system gives you more flexibility). Open port 80 from all ip addresses ( Select the previously created VPC for this new group. Create a second group for the database cluster with two rules permitting access for CIDR and to port 8111

DynamoDB Cluster

9) Create a new DynamoDB Cluster by going into the DynamoDB panel and selecting Clusters (for an existing table) from the left hand side. If you haven't created your table yet, you will need to create it. We don't have space to discuss the details of noSQL partitioning but if you are just testing for now, create a table called users and set the partition key to be email of type string, leave the rest of the defaults and press Create. Next click Clusters on the left hand side.
10) Press Create Cluster and give it a name. Choose a node type, which can be changed later. If testing, there is a small node size.
11) For the IAM role, you either need to select one you have already created, or you can create one here with the relevant permissions. Since my test if for read/write, I have chosen this but you might be clustering a table that is only for reading.
12) Under SubnetGroup, choose Create new, give it a name and description (you could call it TestGroup or something like that) and select the VPC you created earlier in the list and select both subnets to cluster against. This will allow both of these subnets to access the database cluster but you could restrict this if you need to - this actually allows DynamoDB to allocate routeable IP addresses to the cluster and nodes in the correct CIDR for your VPC subnets.
13) Select the DAX security group you created earlier in the list and click Launch Cluster. This will also take a few minutes to complete.

Elastic Beanstalk

This is like Azure App Services and provides a more containerised (and hopefully faster to scale) service for scalable web applications.
14) Open the Elastic Beanstalk Panel and click Get Started
15) Choose a name and a platform, I am using .Net (Windows/IIS) and a Sample Application. Press Configure More Options
16) Change the Configuration Preset if needed.
17) Press Modify under Capacity and switch it from single instance to Load Balanced. Choose your min and max instances values (use min of 2 to understand load balancing). You can leave the scaling metric for now and press Save.
18) Press Modify under the Network box and choose your VPC name. Select the box next to the public subnet for the Load Balancer and the boxes next to the private subnet(s) for the instances. press Save.
19) Press Modify under Instances and choose what you need. I am choosing t2.medium with 30GB disk for the Windows machines. Also, choose the security group you created earlier for the web servers. This will not show until you have selected the correct VPC under the network configuration.
20) Select Modify under Security, choose the Elastic beanstalk role you created earlier, the key pair you created earlier, and the EC2 role you created earlier in the IAM Instance Profile box.
21) Set an email under notifications.
22) Press Create App and wait for the system to be configured.
23) Test the newly created endpoint, shown after the system starts up to ensure it routes correctly and you get the sample app.

Now all that's left is to upload a test app to ensure my instances can see the DynamoDB Databases and also perhaps add a Redis to the private subnet as well.

Post a Comment