School of Science, Computing and Engineering Technologies Swinburne University of Technology
COS80001 – Cloud Computing Architecture Assignment 2
Developing a highly available Photo Album website
Due date: 9 AM, Monday of Week 11
Weighting: 15%. The assignment needs to be completed to attain a Credit grade or above in this unit. Late submission penalty: 10% of total available marks per day.
Prerequisite requirements:
• Successfully completed Assignments 1A and 1B.
• Completed all ACF labs (1-6).
• Know how to use AWS PHP SDK and AWS Network ACLs.
All supporting materials mentioned in this document can be found in the corresponding assignment page on Canvas.
PHP source code has been provided for this assignment. However, you will need to understand how this code works and modify the missing parts. Each student is supposed to add their own specific information in this code; hence, you cannot copy someone else’s code.
Objectives
This assignment will extend/modify the infrastructure and program you developed in Assignment 1b. It has the following additional objectives:
1. Create IAM roles to enable EC2, Lambda, and S3 to interact with each other.
2. Restrict access to S3 using S3 bucket policy.
a lambda function.
a custom AMI.
a launch configuration based on your custom AMI.
an auto scaling group across multiple Availability Zones with policies for scaling up and
an elastic load balancer to distribute service requests. control and traffic limitations by using AWS NACLs.
程序代写 CS代考 加微信: cstutorcs
School of Science, Computing and Engineering Technologies Swinburne University of Technology
1. FunctionalrequirementsofPhotoAlbumwebsite
The PhotoAlbum website is to be hosted on your EC2 web servers. The full source code has been provided to you (photoalbum.zip). Modify the constants.php file in the provided code (carefully read the comments in the file) using available information from your S3 bucket, RDS database, and Lambda function. The website should be accessible through http://[your.elb.dns]/photoalbum/album.php if the directory structure in your web server is as specified in the constants.php file.
2.1 – Photo album (album.php)
This page lists all the photos whose meta-data are stored in the database. Programmatically, this page performs the following actions:
• Establish a connection to the RDS instance.
• Request to retrieve all the records in the database table in the RDS instance.
• The RDS instance will then send back all the records to the EC2 server hosting this web page.
2.2 – Photo uploading (photouploader.php)
This page allows you to upload a photo to an S3 bucket and insert its meta-data into the RDS database. In the meantime, a Lambda function called CreateThumbnail will create a resized version of the photo that was just uploaded to S3. Programmatically, this page performs the following actions:
• When you click the “Upload” button on the page, the photo will be uploaded from your local computer to an EC2 web server.
• The photo is then uploaded from the EC2 web server to the S3 bucket.
• The EC2 web server inserts the photo’s meta-data (title, description, creation date, and
keywords) into the database in the RDS instance.
• The EC2 web server invokes the CreateThumbnail Lambda function with the bucket name
and the photo name in the payload.
• The Lambda function downloads the photo in the bucket specified in the payload sent
above, resizes it, and uploads the resized image to the same S3 bucket. The resized image is
named “resized-
2. Infrastructuredeployment
You will set up a VPC with the structure and services as illustrated in Fig. 1. You can set it up on top of the infrastructure developed from Assignment 1b.
The VPC is as per Assignment 1b. The following points should be noted:
COS80001 2
School of Science, Computing and Engineering Technologies Swinburne University of Technology
• Name: [FirstNameInitial][LastName]VPC. For example, if your name is Bill Gates, your VPC would be named “BGatesVPC”.
• Region: us-east-1
• Two availability zones, each with a private and public subnet with suitable CIDR ranges.
• Associate public subnets with a route table that routes to an Internet Gateway
• Associate private subnets with a private route table that routes to the NAT instance. NAT
instance is now required because EC2 instances need to upload photos to S3 bucket, which is outside the VPC. The NAT instance is an EC2 instance that is configured as follows:
o AMI:amzn-ami-vpc-nat-2018.03.0.20210721.0-x86_64-ebs-ami- 00a36856283d67c39
o Source/destinationcheckdisabled.
Figure 1 – Architecture diagram
2.2 – S3 photo storage
Photos are to be stored in an S3 bucket, which has been created from Assignment 1. However, in this assignment, the bucket must be private so that the photos are not publicly accessible. The photos should be accessible through your website only.
COS80001 3
School of Science, Computing and Engineering Technologies Swinburne University of Technology
HINT: You can set up an S3 bucket policy that restricts access to a specific HTTP referrer (https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example- bucket-policies-use-case-4).
2.3 – Load balancing
Web request load needs to be distributed across the web servers in the auto-scaling group using an Application load balancer. Ensure that your ELB is running health checks on all instances.
NOTE: The health check path must be correctly configured (e.g., “/photoalbum/album.php”). Otherwise, the health checks would fail.
2.4 – Auto scaling
You need to define a scaling policy for your auto-scaling group with at least the following rules:
• The minimum number of servers is 2. The maximum number of servers is 3.
• Configure a target tracking scaling policy to keep the request count per target of your ELB
target group at 30 for your Auto Scaling group. The ASG should launch instances into the private subnets.
2.5 – EC2 instances
Your EC2 web server instances should be based on Amazon Linux 2 AMI (HVM), SSD Volume Type (similar to the previous assignments). They need to be given proper permissions through an IAM role to be able to put objects into the S3 bucket and invoke the CreateThumbnail Lambda function. The role must follow the least-privilege principle.
These instances should be automatically launched by the auto scaling group, and only accept incoming traffic from the load balancer. Once launched, they should be ready to serve Photo Album users without any further human intervention. In other words, you should not have to do any configs once the instances have been launched.
HINT: An ASG can launch instances based on an AMI that has been customized by you.
The Dev server does not receive traffic from the ELB. The Dev server can be used to develop the custom AMI, which would contain everything needed to run the PhotoAlbum website (AWS PHP SDK, Apache web server, source code of the website, etc.). It can also be used to manage your database (through phpMyAdmin – similar to Assignment 1b).
2.6 – CreateThumbnail Lambda function
Create a Lambda function with the following configs: • Name: CreateThumbnail
• Runtime: Python 3.7
• Execution role: An IAM role with policies that allow this Lambda function to get objects from
and put objects into the S3 bucket. The role must follow the least-privilege principle. COS80001 4
Code Help
School of Science, Computing and Engineering Technologies Swinburne University of Technology
Once the Lambda function has been created, you can upload a deployment package to add functionality to this function. The deployment package has been provided to you (lambda- deployment-package.zip). This package contains the library and full source code to resize images and download/upload images to S3 (for best result, please use PNG images). The package is ready to work without any modification.
TIP: In order to test this function, you can create a test event with the following input: {“bucketName”: “your-photo-bucket”, “fileName”: “your-image.png”}
You are encouraged to inspect the source code and understand the logic of this Lambda function.
2.7 – Database with RDS
Same RDS database created in Assignment 1b.
Since the web servers are now in private subnets, access to phpMyAdmin from those servers would require some further configs. This is NOT required. It is acceptable to manage your DB through the Dev server, which is in a public subnet.
2.8 – Security groups
Create five security groups, each is associated with a tier shown in the architecture diagram:
• ELBSG: for the ELB created above.
• WebServerSG: for all the web servers in private subnets.
• DBServerSG: for the RDS instance.
• NATServerSG: for the NAT server.
• DevServerSG: for the Dev server.
ELBSG, WebServerSG, DBServerSG, and NATServerSG must follow the least-privilege principle, i.e., allowing all traffic from anywhere is NOT acceptable. DevServerSG does not have to follow the least- privilege principle.
NOTE: Security groups are stateful (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html).
TIP: If unsure how to set up security groups, NACLs, and IAM roles, or unsure if your security groups and IAM roles are causing problems, you can make them wide open (allowing all traffic from anywhere, full permissions) then tighten them later once your web app is fully functional1.
2.9 – Network ACL
To add an additional layer of security to your web servers, you have been asked to design and deploy a Network ACL that limits ICMP traffic to the corresponding subnets.
– Create a network ACL (named “PrivateSubnetsNACL”) to block bidirectional ICMP traffic to/from Dev server.
1 This is not a good practice. However, you can do this for now – for learning purposes.
COS80001 5
School of Science, Computing and Engineering Technologies Swinburne University of Technology
The PhotoAlbum website should be accessible through http://[your.elb.dns]/photoalbum/album.php Using your PhotoAlbum web app (http://[your.elb.dns]/photoalbum/photouploader.php), upload a few photos along with their metadata.
• Check the S3 bucket to see if photos are actually uploaded and if their resized versions are created.
• Check the database to see if their meta-data is recorded.
• The PhotoAlbum website is accessible through the load balancer only.
• Terminate servers then check to see if replacement EC2 instances are automatically deployed
by the ASG. Thoroughly test the functionality of the website again once new instances have
been launched.
• All EC2 targets are healthy.
• Test direct access to your S3 photos, which should not be publicly accessible.
• Test the Network ACL bidierectional functionality by sending ICMP traffic between the web
servers and Dev server.
• Double check all security groups and IAM roles, make sure they follow the least-privilege
principle.
Submission
No demonstration is required. Make sure your website is running from the due date – check you have started the web server EC2 instance if you have stopped it.
Submission is a single PDF document to Canvas. The document must contain the following:
1. Title page with your name, student ID, and tutorial class.
2. URL of your website (through ELB) so the marker can view your website from their browser.
3. If your assignment is done in your personal AWS account instead of Vocareum, you need to
create an IAM user with proper permissions and provide us with the credentials so that the
marker can access your AWS management console.
4. Screenshot of the data records in your database.
COS80001 6
School of Science, Computing and Engineering Technologies Swinburne University of Technology
COS80001 CCA: Assignment 2 Checklist
Make sure all the following are completed.
Submission Checklist
Student Name: ……………………………………………… Student Id: ……………………………………………………. Tutorial time: ………………………………………………… Date of submission: ……………………………………
Submit to Canvas:
o A PDF document file as specified in the Submission section of the assignment specification.
Marking Scheme
Infrastructure Requirements (20 marks)
VPC configured with 2AZs both with public and private subnets. Public and private route tables route to IGW and NAT, respectively.
Security groups created and properly configured.
NACL correctly configured.
IAM roles properly configured
ASG configured and working correctly.
ELB configured and working correctly.
Photos stored in S3 have restricted access. S3 bucket policy correct.
Lambda configured and working correctly.
RDS configured and working correctly.
Functional Requirements (10 marks)
Website accessible via ELB.
Photos and their meta-data displayed on album.php page
Photos and their meta-data can be uploaded to the S3 bucket and RDS database, respectively.
Photos are resized by the Lambda function.
Deductions
Documentation not as specified or poorly presented (up to minus 30)
Serious misconfigurations of AWS services being used (up to minus 30)
4 2 3 2 2 3 2 1
Programming Help, Add QQ: 749389476