Introduction to Hybrid Architecture
Hybrid Architecture in AWS
In this Section, we will learn about how to design hybrid Architecture using AWS provided technologies and Services for different use-cases or requirements.
Options of Connectivity:
In any Hybrid Deployment, we will have On-premises Servers and clients that needs to connect to AWS for Application access, EC2 Instance Access, Databases Access. Below are some options available for connectivity from On-premises to Cloud.
Accessing AWS resources using AWS Public IP over Internet:
Here some of the AWS services can be assigned Public IP like EC2 Instance, S3, so that on-premises application can be able to access these using their assigned Public IP. But using this method might not be preferable due to security and Network Performance point of view.
Though we can use Security Group to Protect EC2 Instance and NACL to restrict traffic only from On-premises server IPs. Whitelist Elastic IP on On-premises and enable TLS Encryption at transport layer or enable encryption at application layer is also possible.
Accessing AWS resources via IPsec VPN Solution:
In this type of connectivity, we can form an IPsec VPN tunnel between On-Premises and VPC using VGW or on EC2 instance. When we terminate IPsec on VGW, AWS take care of IPsec and BGP configuration on VGW, whereas Client will be taking care of IPsec and BGP configuration on Client Router. But when Client choose to terminate VPN on EC2 instance on VPC, it is then client that is responsible for IPsec tunnel configuration, BGP on both side.
Accessing AWS resources via Private Circuit using AWS Direct Connect
Using AWS Direct Connect Solution, you can establish a dedicated network connection between your network and on the AWS Direct Connection locations.
For any Application to work, Any Application is divided to different tiers. let’s discuss these tiers one by one.
Three-Tier Web Application
It is also referred as Web Application Stack, where it consists of Web layer – which accept all incoming end-user request, Application layer – for implementing business Logic of the application, Database layer – for Application Data Storage.
In Most of the design all three tiers are deployed at one Location Like On-premises locations or on AWS location for minimal latency between layers. But there are some scenarios, where customer wants a Hybrid type of connection between these layers.
Now if the customer has an ask for this type of connection, and during migration phase of an application to AWS or to achieve distributed traffic across both Your AWS VPC and On-Premises resources, in both cases while in phased Migration, you should start deploying Web layer in AWS While Application and Database remain on –Premises.
But Initially you can have Web Server both in AWS and on-premises, by using ALB or NLB, Inorder to distribute traffic across both stack. ALB or NLB can direct traffic directly to On-premises IP address reside on the other end of the VPN or AWS Direct Connect. Here make sure that LB must be in subnet that has route back to On-Premises network.
Below Figure demonstrate about hybrid Web Application using AWS load balancing
Another way to do the load balancing between AWS and on-Premises is to use the DNS based load balancing. Here also, you will use ALB or NLB in AWS, in order to Load balance, the traffic to Web Server. To Achieve this, you would create a DNS record mapping to your domain name that contains the IP address of both NLB and On-Premises Load balancer. Now if you are using Route 53, you can choose any one of the DNS based Routing technique, to load balance traffic across both Load balancer (On AWS and on On-Premises).
As an Example, use weighted Routing policy, in which we will create two records, one for On-premises Server and another for Network LB on AWS and assign each record a relative weight, that means how much traffic you want to send to each resource.
Below figure describes Hybrid Web Application using DNS and AWS Load balancing.
Active Directory is very much used for Windows or Linux EC2 Instances on Cloud. We have the liberty to choose On-premises AD and connect them to our VPC Environment, while deploying an application server on AWS. We can also deploy the AD servers in VPC, which will act as a local copy of the On-Premises AD. This can be achieved by using AWS Directory service (Microsoft Active Directory – Enterprise Edition) and establishing a trust relationship between On-Premises AD and AWS AD.