Skip to main content
All Projects

DMI Internship

Full-Stack 3-Tier AWS Deployment

February 2026
AWSEC2RDSALBVPCDevOpsCloud

Deployed a production-grade Book Review application on AWS in a secure 3-tier architecture — Next.js on EC2 behind a public ALB, Node.js API on private EC2 behind an internal ALB, and Amazon RDS MySQL in a private subnet with no direct internet exposure.

Overview

This capstone project for The CloudAdvisory Oy DevOps Micro-Internship involved designing and deploying a full-stack Book Review application in a production-style 3-tier AWS architecture. Every design decision was made as it would be in a real production environment — no shortcuts, no single points of failure.

Problem

The challenge was to take a full-stack application (Next.js frontend, Node.js/Express API, MySQL database) and deploy it in a way that mirrors production best practice: strict tier isolation, no direct internet access to the database layer, and resilience through proper health checks and service persistence.

Architecture

The deployment follows a strict 3-tier model:

  • Tier 1 — Presentation: Next.js frontend on EC2, behind a public-facing Application Load Balancer (ALB)
  • Tier 2 — Application: Node.js/Express API on a private EC2 instance, behind an internal ALB — unreachable directly from the internet
  • Tier 3 — Data: Amazon RDS MySQL in a private subnet with no internet gateway route — accessible only from the application tier via Security Group rules

Traffic flow: Browser → Public ALB → Web EC2 → Internal ALB → App EC2 → RDS

Technologies Used

  • AWS EC2 — web and application tier compute
  • Amazon RDS MySQL — managed relational database in private subnet
  • Application Load Balancer (ALB) — public (web tier) and internal (app tier)
  • VPC, Subnets, Security Groups — network isolation and access control
  • IAM — least-privilege access policies
  • systemd — service persistence and automatic restart on EC2

Key Engineering Decisions

  • Security Groups configured to allow only the minimum required traffic between tiers
  • Internal ALB for the application tier prevents any direct internet routing to the API
  • RDS placed in a private subnet with no internet gateway association — database is never reachable from outside the VPC
  • Health checks configured on both ALBs to detect and route around unhealthy instances
  • systemd used on both EC2 instances to ensure the Next.js and Node.js services restart automatically on reboot

Results

End-to-end traffic flow validated from browser through all three tiers. Zero direct internet exposure to the application or database tier. Service persistence confirmed across instance restarts.

Key Learnings

Tier isolation is architectural discipline, not just a security checkbox. The internal ALB pattern for the application tier is a clean way to enforce that no external traffic can reach the API layer — even if a Security Group misconfiguration occurred, the routing simply would not exist. This project reinforced that security in cloud architecture comes from layered controls, not a single policy.