cms.teleglobals.com

Secure 3-Tier Web Application on AWS for an Order Management Platform

At a Glance 

EC2 INSTANCES 4 total: Frontend (C6a), Backend (C6a), API (C6a), Bastion (T3a) ARCHITECTURE 3-tier: Frontend, Backend with MySQL, API REGION Asia Pacific (Mumbai), ap-south-1 
DATABASE MySQL on Backend EC2, restricted to app-tier only DNS + SECURITY Route 53 + AWS WAF + ALB MONITORING CloudWatch with proactive alerting 

Executive Summary 

The client operates an order management platform that processes transactions across multiple sales channels. The application runs as a 3-tier stack: frontend, backend with MySQL, and an API layer for external integrations. 

Teleglobal provisioned the full AWS environment in the Asia Pacific (Mumbai) region. The deployment covers 4 EC2 instances across public and private subnets, Route 53 with ALB and WAF for traffic routing and protection, self-managed MySQL with network-level access restrictions, and a security layer spanning IAM, KMS, Secrets Manager, and CloudWatch.  

The Problem 

Production application without production infrastructure 

The platform was ready for production but had no secure hosting environment. The three application tiers each have different network access requirements. The frontend needs internet traffic, while the backend and API layers should never be directly reachable from outside. 

Database access that needed strict boundaries 

MySQL runs directly on the backend EC2 instance, not as a managed service. Only the application-tier instances should connect to it. A misconfigured security group would expose the database to the entire VPC or the internet. Access rules had to be locked down before the first connection. 

No secure path to reach private servers 

With all application servers in private subnets, administrators had no way to SSH in for maintenance. The environment needed a Bastion server as the single controlled entry point, locked down to specific source IPs. 

What We Built 

Network foundation 

A VPC in ap-south-1 with two subnet tiers. The public subnet contains the Bastion server (T3a) and NAT Gateway. The private subnet holds all three application servers (C6a). Route tables direct outbound traffic through the NAT Gateway, while the Bastion provides the only inbound administrative path. 

Traffic routing and DNS 

Route 53 points the client’s domain to the ALB. The ALB distributes requests across Frontend, Backend, and API instances. AWS WAF filters malicious traffic before it reaches any server. The traffic flow is: User > Route 53 > WAF > ALB > EC2 in the private subnet. 

Compute and database 

Three C6a instances handle frontend, backend, and API workloads in the private subnet. MySQL is deployed on the Backend instance with security group rules restricting access to application-tier instances only. This is enforced at the network level, not just application-level authentication. 

Storage 

An Amazon S3 bucket handles application data, backups, static website hosting, datasets, and infrastructure state files with lifecycle policies and access controls. 

Security and access control 

IAM follows least-privilege principles. KMS manages encryption keys. Secrets Manager stores credentials. Security Groups define exact rules for every instance: Bastion accepts SSH only from approved IPs, application servers accept traffic only from the ALB and Bastion, MySQL accepts connections only from the app-tier security group. Learn more about our cybersecurity services

Monitoring 

CloudWatch monitors EC2 instances, VPC flow logs, and S3 access patterns. Proactive alarms cover CPU, memory, disk, and network anomalies. 

AWS Services Deployed 

AWS Service Role in This Deployment 
Amazon VPC + NAT Gateway Public and private subnets with route tables and Security Groups in ap-south-1 
Amazon EC2 (3x C6a + 1x T3a) 3 application servers in private subnet, 1 Bastion in public subnet 
Application Load Balancer + WAF Traffic distribution with routing rules and web application firewall 
Amazon Route 53 DNS resolution pointing the client’s domain to the ALB 
Amazon S3 Application data, backups, static hosting, datasets, and state files 
IAM + KMS + Secrets Manager Access control, encryption, and credential storage 
Security Groups Instance-level firewall rules restricting traffic by source, port, and protocol 
Amazon CloudWatch Monitoring, log collection, metrics, and proactive alerting 

Results 

Area Before After 
Compute No production infrastructure 4 EC2 instances (3x C6a + 1x T3a) across public and private subnets 
Network No subnet isolation 2-tier VPC with private subnet for app servers, public subnet for Bastion only 
Database MySQL with no network-level access control MySQL on Backend EC2, Security Groups restrict access to app-tier only 
DNS + Routing No managed DNS or load balancing Route 53 > WAF > ALB traffic path with domain-level routing 
Security No centralised access control or encryption IAM least-privilege, KMS, Secrets Manager, Security Groups on every instance 
Admin Access No controlled path to reach production servers Bastion server (T3a) as single entry point, SSH restricted to approved IPs 
Monitoring No visibility into instance health CloudWatch with proactive alarms across EC2, VPC, and S3 

Roles and Responsibilities 

Activity Responsibility 
Infrastructure setup (VPC, EC2, IAM, S3, security) Teleglobal 
Testing and validation Teleglobal and Client jointly 
Documentation and handover Teleglobal 
Application integration Client 

What Comes Next 

Additional EC2 instances can be added behind the ALB as traffic increases. If the client outgrows self-managed MySQL, the same VPC and Security Group structure supports a migration to Amazon RDS with minimal changes. S3 is already configured for static hosting, giving the option to offload assets to S3 and CloudFront at scale. 

Teleglobal International is an AWS Partner delivering cloud infrastructure deployments across the Asia Pacific region from its delivery centre in Pune, India. Get in touch.