A Guide to Setting Up a Secure Two-Tier Application with OpenVPN in AWS

Overview

Ensuring your applications are secure in the rapidly changing world of cloud computing is crucial. This blog will lead you through building up a powerful and secure two-tier application on Amazon Web Services (AWS) with the added layer of protection offered by an OpenVPN server. A front-end web server and a back-end database server comprise the two-tier architecture, promoting better scalability and concern separation. By incorporating OpenVPN into this configuration, we improve security by establishing a private, encrypted communication channel between the servers. This comprehensive guide will walk you through the step-by-step process, from provisioning the necessary AWS resources to configuring the OpenVPN server, providing you with the tools and knowledge to establish a secure foundation for your applications on the AWS cloud.

Introduction to Two-Tier Architecture

This separation streamlines development, improves scalability, and enhances performance. In this blog, we’ll guide you through setting up a secure two-tier application on Amazon Web Services (AWS), augmented with the added security layer of an OpenVPN server. Join us as we explore the benefits of this architecture and walk through the steps to create a robust, scalable, and secure application in the AWS cloud.

Prerequisites

• Prior basic knowledge of AWS cloud (Amazon RDS, Amazon EC2).
• Amazon EC2 instance will be public and serve as our front-end application for users to interact.
• The Amazon RDS instance for the backend will store our application’s database. Amazon RDS will be in the private subnet.

Steps to Setup OpenVPN EC2 server

­Step 1: Go to the Amazon EC2 console in your Amazon account and click on launch instance.

Step 2: Give a name to your instance, then click on Browse more AMIs to choose the AMI of the OpenVPN server.

Step 3: Click on AWS Marketplace AMIs, then search OpenVpn in the AMI search bar and select OpenVPN Access server image.

Step 4: Select Amazon VPC and subnet, then launch the instance.

Step 5: SSH into your OpenVPN server. You will be asked some configuration questions.

• First, you will be asked to accept the OpenVPN agreement. You need to give it a
• Then, it will ask if this server is your primary node or standby node.
• By default, it will be set as the primary node.
• If you want to change you need to give You can keep configurations as default. It will ask for the ports, and you can keep them default.
• It will ask, “Should client traffic be routed by default through the VPN?”, “Should client DNS traffic be routed by default through the VPN?”. Give both as

Step 6: You’ll be provided one Admin UI URL and one Client UI URL. Copy the admin URL and open it in the browser.

Login with the admin credentials that you have set.

Step 7: You will be taken to the admin page to manage your OpenVPN server, such as creating users and assigning permissions and server configuration. Click on User Management, then user permissions.

Here, you can create users who can access and log into your OpenVPN access server, and you can also assign admin access to those users. There is already one admin user created, which you have created earlier.

Here, you have configured your VPN server. Now, it is time to configure your Amazon EC2 and Amazon RDS to allow access through VPN only.

Steps to Configure Amazon RDS and Amazon EC2 security groups to allow access through VPN only

Step 1: Open your web server Amazon EC2 security group and edit inbound rules.

Open the SSH port, and in the source, add the public IP of your OpenVPN EC2 server. Similarly, allow HTTP and HTTPS ports from the VPN server’s public IP.

Step 2: Open the security group of the Amazon RDS instance and allow MySQL port 3306 from the security group of your frontend Amazon EC2 instance.

Now, we can access our application only when connected to a VPN. The next section will see how to connect to OpenVPN and set up profiles.

Steps to Setup a VPN profile to connect to the VPN

Step 1: Open the public IP of your OpenVPN server in the browser. You will be taken to the client UI of the OpenVPN server. Log in with the username and password of the user you created on the admin page.

Step 2: After logging in, you will see a page where you can choose your operating system. It will download the OpenVPN connect application in your system, which you can use to connect to the VPN.

Step 3. Open the application that has been downloaded. And paste the IP of the OpenVPN server in the field and click on next.

Step 4: Now, create a profile in the app. For that, give the username and password of the user you already created in the admin UI and click on import.

Now, you will be connected to the VPN. You can confirm that by seeing the spikes in the image below. Which means you are connected to the internet through VPN. You can also check that by searching “what is my ip” on Google. You will see your IP is the same as the public IP of the OpenVPN server.

Conclusion

By constructing a safe two-tier architecture on AWS and adding an OpenVPN server as a firewall, we have strengthened our applications’ defenses against potential attacks. We improve scalability and simplify development by deliberately dividing front-end and back-end components. An additional layer of security is added by integrating OpenVPN, which guarantees private and encrypted server communication. This guide covers AWS setup, server configurations, and security measures, offering a roadmap for building resilient applications. Remember, security is an ongoing process, and AWS provides the flexibility to scale with evolving needs. By implementing these strategies, you’re securing your applications and contributing to a dynamic and adaptive cloud environment.

Drop a query if you have any questions regarding Two-tier architecture and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.