SAA-Lab1 — Scaling en AWS (baseline): ALB + Auto Scaling + CloudFront

查看原文 / View Original 编辑 / Edit

SAA-Lab1 — Scaling on AWS (baseline): ALB + Auto Scaling + CloudFront

Region: us-east-1 | Estimated Duration: 35–55 minutes | Cost-risk: Medium | Certification: AWS Certified Solutions Architect - Associate (SAA-C03) | Domain: Design Secure Architectures | Task 1.2: Design secure workloads and applications

Case Study The Digital Café Luna platform was quite stable… until they decided to host a special weekend event. Traffic spiked, the application started to feel sluggish, and Camilo realized that a single instance was no longer enough. Mrs. Blanca doesn’t understand vertical or horizontal scaling; she only wants one thing: “Make sure the system doesn’t crash right when we are selling the most.”

Digital Café Luna 的平台一直很稳定……直到他们决定举办一场周末特别活动。流量激增,应用程序开始变慢,Camilo 意识到单台实例已经不够用了。Blanca 女士不懂什么是垂直扩展或水平扩展,她只有一个要求:“确保系统在我们销售最火爆的时候不会崩溃。”

This lab is the leap from a single server to a more realistic baseline: Application Load Balancer, Auto Scaling Group, and CloudFront working together to absorb traffic variations. We are not going to build a perfect architecture, much less one ready for production.

本次实验是从单服务器架构迈向更现实基准架构的飞跃:通过 Application Load Balancer (ALB)、Auto Scaling Group 和 CloudFront 协同工作来应对流量波动。我们不会构建完美的架构,更谈不上生产就绪。

What are we going to build? In this lab, you will create:

  • An Application Load Balancer as an entry point.
  • A Target Group to route traffic to EC2 instances.
  • A Launch Template with a basic NGINX app.
  • An Auto Scaling Group with minimum capacity distributed across two subnets.
  • A CloudFront distribution pointing to the ALB.
  • Validations of the flow: User → CloudFront → ALB → EC2.
  • Full cleanup.

我们将构建什么? 在本次实验中,你将创建:

  • 一个作为入口点的 Application Load Balancer。
  • 一个用于将流量路由到 EC2 实例的 Target Group。
  • 一个包含基础 NGINX 应用的 Launch Template。
  • 一个分布在两个子网中的 Auto Scaling Group(具备最小容量)。
  • 一个指向 ALB 的 CloudFront 分发。
  • 验证流量路径:用户 → CloudFront → ALB → EC2。
  • 完成清理工作。

Figure 1 — CloudFront receives the request, sends it to the ALB, and the ALB distributes traffic to EC2 instances managed by Auto Scaling.

图 1 — CloudFront 接收请求,将其发送至 ALB,ALB 再将流量分发给由 Auto Scaling 管理的 EC2 实例。

Scope Note We will use the default VPC to keep things simple and focus on the main objective. In later labs, we can mature this with SSM Session Manager, HTTPS end-to-end, WAF, and finer controls. For now, we want to understand the base flow and see it working. Note: In this baseline, the ALB will remain public. CloudFront will be in front, but we will not yet restrict the ALB to accept traffic only from CloudFront.

范围说明 我们将使用默认 VPC 以简化操作,专注于核心目标。在后续实验中,我们可以通过 SSM Session Manager、端到端 HTTPS、WAF 和更精细的控制来完善它。目前,我们旨在理解基础流程并观察其运行。注意:在此基准架构中,ALB 仍将保持公开。虽然 CloudFront 位于前端,但我们暂不限制 ALB 仅接受来自 CloudFront 的流量。

Naming Convention

  • Resource: ALB | Name: saa-lab1-alb
  • Resource: Target Group | Name: saa-lab1-tg
  • Resource: Launch Template | Name: saa-lab1-lt
  • Resource: Auto Scaling Group | Name: saa-lab1-asg
  • Resource: Security Group ALB | Name: saa-lab1-alb-sg
  • Resource: Security Group App/EC2 | Name: saa-lab1-app-sg
  • Resource: CloudFront Distribution | Name: saa-lab1-cf
  • Standard Tag: Name= and Lab=saa-lab1

命名约定

  • 资源:ALB | 名称:saa-lab1-alb
  • 资源:Target Group | 名称:saa-lab1-tg
  • 资源:Launch Template | 名称:saa-lab1-lt
  • 资源:Auto Scaling Group | 名称:saa-lab1-asg
  • 资源:Security Group ALB | 名称:saa-lab1-alb-sg
  • 资源:Security Group App/EC2 | 名称:saa-lab1-app-sg
  • 资源:CloudFront Distribution | 名称:saa-lab1-cf
  • 标准标签:Name=<资源名称> 和 Lab=saa-lab1

Prerequisites

  • Region: us-east-1.
  • Permissions for EC2, Load Balancing, Auto Scaling, and CloudFront.
  • Default VPC available.
  • Access to AWS Console and CloudShell or local AWS CLI.

先决条件

  • 区域:us-east-1。
  • 具备 EC2、负载均衡、Auto Scaling 和 CloudFront 的权限。
  • 可用的默认 VPC。
  • 可访问 AWS 控制台及 CloudShell 或本地 AWS CLI。

Step 1 — Identify VPC and subnets

We need a VPC and at least two subnets in different AZs. In AWS Console: Go to VPC → Your VPCs. Verify you are in us-east-1. Use the Default VPC. Go to VPC → Subnets. Identify two subnets in different AZs, for example, us-east-1a and us-east-1b.

第 1 步 — 识别 VPC 和子网

我们需要一个 VPC 和至少两个位于不同可用区 (AZ) 的子网。在 AWS 控制台中:进入 VPC → Your VPCs。确认你处于 us-east-1 区域。使用默认 VPC。进入 VPC → Subnets。识别两个位于不同 AZ 的子网,例如 us-east-1a 和 us-east-1b。

Checkpoint: Validate that you have a VPC in us-east-1 and identified two subnets in different AZs.

检查点: 验证你是否在 us-east-1 中拥有 VPC,并识别了两个位于不同 AZ 的子网。

Step 2 — Create Security Groups

We will create two Security Groups: one for the ALB and one for the application instances.

第 2 步 — 创建安全组 (Security Groups)

我们将创建两个安全组:一个用于 ALB,另一个用于应用程序实例。

ALB Security Group:

  • Name: saa-lab1-alb-sg
  • Inbound: HTTP 80 from 0.0.0.0/0
  • Outbound: default
  • Tags: Name=saa-lab1-alb-sg, Lab=saa-lab1

ALB 安全组:

  • 名称:saa-lab1-alb-sg
  • 入站规则:HTTP 80 来自 0.0.0.0/0
  • 出站规则:默认
  • 标签:Name=saa-lab1-alb-sg, Lab=saa-lab1

App/EC2 Security Group:

  • Name: saa-lab1-app-sg
  • Inbound: HTTP 80 from the ALB Security Group
  • Outbound: default
  • Tags: Name=saa-lab1-app-sg, Lab=saa-lab1

App/EC2 安全组:

  • 名称:saa-lab1-app-sg
  • 入站规则:HTTP 80 来自 ALB 安全组
  • 出站规则:默认
  • 标签:Name=saa-lab1-app-sg, Lab=saa-lab1

Note: Instances must not receive HTTP directly from the Internet; traffic must enter through the ALB.

注意: 实例不应直接从互联网接收 HTTP 流量;流量必须通过 ALB 进入。

Checkpoint: Validate that the ALB SG allows HTTP from the Internet and the App SG allows HTTP only from the ALB SG.

检查点: 验证 ALB 安全组允许来自互联网的 HTTP 流量,且 App 安全组仅允许来自 ALB 安全组的 HTTP 流量。

← 返回新闻列表 / Back to news list