Building a Secure & Scalable Web Application on AWS 🚀

In my recent project, I worked on deploying a secure and scalable web application on AWS using EC2, Nginx, Node.js, ALB, CloudFront, and a Bastion Host. This setup ensures both performance and security while following best cloud architecture practices. Here’s a breakdown of my approach:

🚀 1. Setting Up EC2 in a Private Subnet

One of the first steps was to deploy an EC2 instance in a private subnet for security reasons.

• Nginx was running on port 80 (Frontend).
• Node.js application was running on port 5000 (Backend).
• NAT Gateway was added to allow outbound internet access for package installations & updates

🔐 2. Secure Access with a Bastion Host

Since the EC2 instance was in a private subnet, I couldn’t connect directly via SSH.

• Created a Bastion Host in a public subnet to securely connect to the EC2 instance.
• Restricted SSH access to only allow connections from the Bastion Host.

⚖️ 3. Configuring an Application Load Balancer (ALB)

To efficiently distribute traffic and handle both Frontend & Backend, I deployed an Application Load Balancer (ALB) in a public subnet.

• Created two target groups for different ports: ✅ Port 80 → Nginx (Frontend) ✅ Port 5000 → Node.js (Backend)
• Registered the EC2 instance to these target groups.

🌍 4. Adding CloudFront for Custom Domains & Security

To improve performance and security, I used CloudFront in front of the ALB.

• Configured CNAME records in Cloudflare to route custom domains through CloudFront.

• Initially tested ALB with public access and then restricted it only to CloudFront’s IP ranges.

• Faced an issue: "The maximum number of rules per security group has been reached." ✅ Solution: Created separate security groups for port 80 & 5000 to accommodate CloudFront’s IP prefixes efficiently.

🛠️ 5. Database Setup & Future Enhancements

Initially, I used Azure MSSQL, but I realized it wasn’t securely connected.

• For the next phase, I plan to migrate to AWS RDS (MSSQL) for better integration & security.
• Credentials will be stored securely in AWS Secrets Manager instead of hardcoding them.

🛡️ 6. Final Security Enhancements

🔹 Restricted ALB access to only CloudFront to avoid direct access. 🔹 Ensured least privilege access for EC2 & RDS. 🔹 Verified that CloudFront caching & security policies were properly configured.

🎯 Key Takeaways from This Project

✅ How to deploy a highly available & secure application using AWS best practices.

✅ Optimizing CloudFront + ALB for better security & performance.

✅ Handling security group limitations when working with CloudFront IP prefixes.

✅ Future improvement: Securely migrating to AWS RDS & using Secrets Manager.

This project was a great learning experience in AWS networking, security, and scalable architectures! 🚀

💡 Have you worked on a similar setup? What challenges did you face? Let’s discuss in the comments! 👇