COS20019 Cloud Computing Architecture Assignment 1 - Part B Photo Album website
COS20019 - Cloud Computing Architecture
Assignment 1 - Part B
Creating and deploying Photo Album website onto a simple AWS infrastructure
Due date: 9:00 AM (AEST) Monday, start of Week 7 Prerequisite requirements:
• Pass mark in Assignment 1A. Please note that Assignment 1B submissions will not be marked if the student has not Passed Assignment 1A. Contact your instructor immediately if this requirement is not met in your grades.
Preparation:
-
ACF Labs 2, 3, and 4.
-
Know how to set up and manage a MySQL database on Cloud
-
General understanding of PHP programming language.
-
Know how to set up and manage a Web accessible S3 bucket.
All supporting materials mentioned in this document can be found in the corresponding assignment page on Canvas.
The PHP source code has been provided for this assignment. However, you will need to understand how this code works to be able to modify the missing parts. Each student is supposed to add their own specific information in this code; hence, you must not copy someone else’s code.
Objectives
This assignment has the following objectives:
-
Create a secure Virtual Private Cloud (VPC) with subnets, routing tables and security groups.
-
Control access to and from your VPC via an Internet Gateway.
-
Modify the provided PHP code to create a website that stores meta-data information about
photos uploaded to S3 in a MySQL database managed by Amazon RDS. The website should
enable the user to search for and display photos using meta-data.
-
Deploy and test your PHP web site on an Apache web server running on an EC2 virtual
machine instance.
-
Add an additional layer of security by applying a Network ACL to the public subnet that hosts
your web server.
1. Infrastructuredeployment
You will set up a VPC with the structure and services as illustrated in the diagram below.
NOTE: Do not use the default VPC. All services should be in your custom VPC. Below are the detailed requirements for each service.
1.1 - VPC:
-
Name: [FirstNameInitial][LastName]VPC. For example, if your name is Bill Gates, your VPC would be named “BGatesVPC”.
-
Region: us-east-1
-
Two availability zones each with a private and public subnet with suitable CIDR as
specified in the diagram above.
-
Associate public subnets with a public route table that routes to the Internet
Gateway.
NOTE: due to some incompatibility issues, it is recommended to create your VPC manually (use the “Create VPC” button in VPC tab and select “VPC Only”). Please do NOT use the “Start VPC Wizard” button in AWS dashboard.1.2 - Security groups
Create the following security groups, each is associated with each tier shown in the architecture diagram:
Anywhere Anywhere TestInstanceSG WebServerSG
Security group name
TestInstanceSG WebServerSG
DBServerSG
1.3 – EC2 virtual machine
Protocols
All traffic
HTTP (80), SSH (22)
ICMP
MySQL (3306)
You will create two EC2 instances, a test instance and a bastion/web server instance.
1.3.1 – Bastion/Web server instance
Your web server must be deployed on an EC2 instance in Public Subnet 2. This EC2 instance should be configured similar to the EC2 created in Assignment 1A:
-
- Amazon Machine Image: Amazon Linux 2 AMI (HVM), SSD Volume Type
-
- Instance type: t2.micro
-
- Has Apache web server and other PHP packages installed (you can use the same bash script
provided in Assignment 1A to bootstrap your EC2).
This instance will host the “Photo Album” web application, which was created in Assignment 1A – more details are in Section 2 of this specification document. This instance will also act as a bastion host for you to SSH into the Test instance, which resides in a private subnet.NOTE: [your.public.dns] will change every time the webserver instance restarts. To avoid this behaviour and to ensure your Webserver URL remains persistent, add an Elastic IP Address to this instance by allocating an Elastic IP address in the same region under the Network and Security section in the left menu of the EC2 service page, then associate this new EIP to your Bastion/Web server instance. The public IP address of your instance should now automatically match this Elastic IP address.
1.3.2 – Test instance
This instance will be used for demonstration purposes only. It does not contribute to the functionality of Photo Album website. You will SSH into this instance and ping the web server (using “ping” command in Linux). Please take a screenshot(s) of the Linux terminal to demonstrate that:
-
- You are able to SSH into an instance in a private subnet (which is this Test instance). For instructions on how to connect to a private EC2 instance through a bastion host, you can refer to https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances- running-in-a-private-amazon-vpc/
-
- You are able to establish a connection (ICMP ping) between this instance and the Bastion/Web server instance.
The configuration of this instance is entirely your choice. This instance does not host the web application.
1.4 – RDS database instance
Your RDS instance must have the following configs:
-
- DB engine version:
-
- Template:
-
- Public access:
-
- Resides in private subnets.
MySQL 8.0.34
Free tier
No
NOTE: Your RDS instance needs to be in a private subnet. Only WebServerSG security group can access it. However, you need to be able to access your database over the internet so that you can set it up and maintain it. There are several ways to do this. The easiest way is to install phpMyAdmin (a web-based MySQL administration tool) on your web server EC2 instance and manage your database through phpMyAdmin’s UI. Instructions on how to do this are in Install phpMyAdmin on EC2.pdf file.
Using phpMyAdmin tool, create a database in your RDS instance with a table called photos that stores meta-data about the photos stored in the S3 bucket. This table should have the following columns:
-
Photo title (varchar(255) type)
-
Description (varchar(255) type)
-
Creation date (date type)
-
Keywords (varchar(255) type)
-
Reference to the photo object in S3 (varchar(255) type)
1.5 – Network ACL
To add an additional layer of security to your web server, you have been asked to design and deploy a Network ACL (named “PublicSubnet2NACL”) that limits ICMP and other necessary traffic to the corresponding subnet (Public Subnet 2). This NACL must follow the least-privilege principle. In other words, irrelevant traffic from irrelevant sources must not be allowed. To be specific, the NACL:
-
- must ALLOW SSH(22) 1traffic from anywhere so that you can access the WebServer instance.
-
- must ALLOW ICMP traffic only from the subnet that contains the Test instance.
-
- must ALLOW other necessary traffic so that the Photo Album website is fully functional for
users from anywhere.
2. Functional requirements of Photo Album website
Your Photo Album website must have the following functional requirements.
2.1 – Photo storage
Create an S3 bucket to store your photos. Manually upload some photos onto S3 bucket that you just
1 Ideally, SSH(22) traffic should only be allowed from your home network's public IPv4 address range since common users do not need to access the web server. But for simplicity, you can allow SSH from anywhere in this assignment.
COS20019 4
School of Science, Computing and Engineering Technologies Swinburne University of Technology
created and ensure they have been successfully uploaded.
All objects (photos) in this S3 bucket must become publicly available. To accomplish this task, you MUST use an appropriate access policy to enable public access to all available objects in this S3 bucket.
NOTE: marks will be deducted if S3 bucket objects have been individually configured to be publicly available. This needs to be done by making objects available at the bucket level.
2.2 – Photo meta-data in RDS Database
The meta-data of the photos stored in the S3 bucket is stored in a database table, which has been created in Section 1.4. You need to populate the table with a few records. Below is an example of a record:
-
- Photo title:
-
- Description:
-
- Creation date:
-
- Keywords:
-
- Object URL in S3:
2.3 – Photo Album website functionality
The website must be able to list all the photos (stored in the S3 bucket) along with their meta-data (stored in the database). The full source code has been provided to you (photoalbum_v3.0.zip). Modify the constants.php file in the provided code (carefully read the comments in the file) using available information from the S3 bucket and RDS database that you created in the previous steps.
NOTE: in constants.php file, variables/names that you add must not include space. You may use underscore “_” instead of space.
Examples:
define('DB_PHOTO_CREATIONDATE_COL_NAME', ' '); define('DB_PHOTO_KEYWORDS_COL_NAME', ');
The website should be accessible through http://[your.public.dns].amazonaws.com/cos20019/photoalbum/album.php if the directory structure in your web server is correctly created.
Testing
Manually upload several photos to the S3 bucket and insert their meta-data into the database. Thoroughly test to make sure the photos and their meta-data are correctly displayed.
Ensure the Network ACL satisfies the additional security requirement, by login into the Test instance (e.g. via SSH) and run a ping to the web server’s IP address.
creationdate
'keywords_column
COS20019 5
School of Science, Computing and Engineering Technologies Swinburne University of Technology
Submission
Make sure your website is functional before the due date - check you can start the web server EC2
instance and stop it. (No need to start the Test instance).
Submission is a single PDF document to Canvas. No demonstration is required. The document must
contain the following:
1. AsinglePDFdocument,maximum15pages,inIEEEConferenceStyleineitheroneortwo column mode submitted to Canvas by the due date.
2. Titlepagewithyourname,studentID,andtutorialclass.
3. URLofthealbum.phppagesonyourEC2soyourtutorcanviewyourwebsitefromtheir
browser using the URL that you have provided (Elastic IP address to be used).
4. IfyourassignmentisdoneinyourpersonalAWSaccountinsteadofVocareum(akaLearner
Lab), you will need to create an IAM user with proper permissions and provide us with the
credentials so that your tutor can access your AWS management console.
5. WellformattedScreenshot(s)ofthedatarecordsinyourdatabase.
6. WellformattedScreenshot(s)ofLinuxterminalshowingyouhavebeenabletopingtheWeb
server Instance from your Test instance.
7. Wellformatedscreenshot(s)andabriefexplanationforeachstepthatyouhavetakento
deploy different resources (e.g. VPC, Route Tables, Security Groups, Static IP, Subnets...),
problems that you faced and achievements during your deployment for this assignment.
8. EachscreenshotmustincludeyourAWSManagementConsoleusername/studentIDvisible.
NOTE:
This assignment is to be completed in a managed AWS Lab environment (e.g. AWS Learner Lab), which is accessible through your AWS Canvas page. For further information of how to access this environment please refer to your Swinburne Canvas Page “Accessing AWS Resources”.
This environment is time-limited until the end of semester and comes with $US100 credit. It is your
responsibility to use and manage this credit correctly to ensure there will be enough remaining
credits for all assignments.
