Introduction #
In today’s cloud-first era, migrating on-premise or legacy applications to the cloud is no longer optional, it’s essential for scalability, security, and business continuity.
Our team recently completed a full-stack cloud migration project for an e-commerce web application by designing and deploying a secure, resilient, and cost-optimized architecture on AWS.
This post details the AWS architecture, services, and security best practices used in the migration.
Project Objectives #
The primary goals of this e-commerce migration were:
- Strengthen security for network, application, and data layers.
- Enable scalability to handle seasonal and traffic spikes.
- Ensure high availability with Multi-AZ and monitoring.
- Optimize costs without compromising performance.
AWS Cloud Architecture Overview #
We implemented a multi-tier architecture within a custom VPC, segregated into public, private, and database subnets across two availability zones:
- VPC & Subnets
- CIDR Block:
10.0.0.0/16 - Public Subnets (ALB):
10.0.1.0/24,10.0.6.0/24 - Private Subnets (EC2):
10.0.60.0/24,10.0.120.0/24 - Database Subnets (RDS):
10.0.180.0/24,10.0.240.0/24 - NAT Gateway configured for private subnet instances to access the internet securely.
- CIDR Block:
Security Implementation #
Security was embedded at every layer of the architecture.
Security Groups #
- Load Balancer (sg_loadbalancer): Allow HTTP/HTTPS ingress and egress from internet.
- Web Servers (sg_private): Allow only internal HTTPS (80/443) and DB connections. Outbound traffic via NAT.
- Database (sg_rds): Allow MySQL (3306) traffic only from EC2 in private subnets.
Web Application Firewall (WAF) #
- Attached to ALB with:
- AWS Managed Rule Sets (Linux, PHP, SQL injection protection).
- Custom Rules (e.g., BlockBadBots).
IAM & KMS #
- Fine-grained IAM roles/policies for EC2, ALB, CloudFront, WAF, CloudWatch.
- AWS KMS Encryption applied to:
- RDS storage
- EC2 volumes
- S3 buckets & CloudWatch logs
- Secrets Manager securely stored database credentials & sensitive app secrets.
Content Delivery & DNS #
- CloudFront CDN for caching and serving static assets (CSS, JS, images).
- Route 53 for DNS with health checks & latency-based routing.
- ACM Certificates on ALB for HTTPS with auto-renewal.
Application & Database Setup #
EC2 Web Tier #
- Instance Type: t4g.small (ARM-based, cost-efficient).
- OS: Ubuntu 24.02 LTS with SSM Agent for automation.
- Integrated with CloudWatch Agent for metrics/logs.
RDS Database Tier #
- Engine: MySQL
- Instance Type: db.t4g.medium (optimized for I/O).
- Multi-AZ deployment for resilience.
- Secured via private subnets & RDS security groups.
Monitoring & Cost Control #
- CloudWatch Dashboards & Alarms for EC2, RDS, ALB, and CloudFront.
- CloudTrail for auditing and detecting security anomalies.
- SSM Agent for EC2 logs and patch management.
- AWS Budgets & Cost Explorer for proactive cost tracking.
Auto Scaling & Resilience #
- Configured Launch Template with baked-in user data for quick provisioning.
- Auto Scaling Group scaled based on CPU > 60% thresholds.
- Achieved elastic scalability while ensuring uptime during traffic spikes.
Key Takeaways #
This project provided hands-on expertise in:
- Designing secure, scalable AWS architectures.
- Enforcing network isolation & encryption.
- Leveraging IAM, WAF, and KMS for compliance-grade security.
- Implementing full-stack monitoring with CloudWatch & CloudTrail.
- Deploying auto scaling strategies to balance performance and cost.
The result was a successful migration from a static, monolithic setup to a cloud-native, highly available infrastructure.
What’s Next? #
Future enhancements will focus on:
- Building CI/CD pipelines for automated deployments.
- Containerization with ECS or EKS.
- Enabling IAM authentication for RDS connections.
- Enhancing CloudFront caching for dynamic content.
Interested in Cloud, DevOps, or Security Engineering? #
Feel free to connect or drop me a message!