Project Concept ‐ Network - Campus-Castolo/m300 GitHub Wiki
🌐 Network Topology – AWS Cloud Infrastructure
This document describes the logical and physical network topology of the Terraform-provisioned cloud environment, including subnet segmentation, security controls, inter-service communication, and test validation. It fulfills the D1 – Netzwerkverbindungen konfigurieren und testen competency at the advanced level.
1. Network Structure Overview
🧱 VPC Architecture
| Component |
CIDR Block |
Notes |
| VPC |
10.0.0.0/16 |
Root network for all services |
| Public Subnet(s) |
10.0.1.0/24 |
Hosts ALB and ECS Fargate |
| Private Subnet(s) |
10.0.2.0/24 |
Hosts RDS instances only |
| Internet Gateway |
Attached |
Enables internet access for ALB & ECS |
| NAT Gateway |
Not required |
ECS is publicly routable; RDS has no egress |
2. Service Connectivity Map
flowchart TD
IGW[Internet Gateway] --> ALB[Application Load Balancer]
ALB --> ECS[ECS Fargate - Public Subnets]
ECS --> RDS[(RDS MySQL - Private Subnets)]
ECS --> CloudWatch
Lambda[Lambda Snapshot Automation] --> RDS
CW[CloudWatch] --> Alarms
3. Security Groups & Traffic Rules
| SG Name |
Ingress From |
Ports |
Purpose |
| SG-ALB |
0.0.0.0/0 (HTTP/HTTPS) |
80, 443 |
Public-facing Load Balancer |
| SG-ECS |
SG-ALB |
80, 443 |
Container access from ALB |
| SG-RDS |
SG-ECS |
3306 |
Database access from ECS only |
| SG-Lambda |
AWS Services |
443 |
Secure access to AWS APIs |
4. VPC Flow Logging
To track network traffic across the entire VPC, flow logging is enabled with the following configuration:
resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
name = "/aws/vpc/flow-logs"
retention_in_days = 14
}
resource "aws_flow_log" "vpc_logs" {
vpc_id = aws_vpc.main.id
traffic_type = "ALL"
log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn
log_destination_type = "cloud-watch-logs"
}
5. Connectivity Testing
✅ Application Load Balancer (ALB)
curl -I http://ecs-alb-729435232.eu-central-1.elb.amazonaws.com/
🧪 ECS ↔ RDS Private Connectivity Test
# From within ECS container shell (via Exec or SSH-enabled task):
nc -vz wordpress-db-subnet02-eu-central-1.cd8a4eacyjel.eu-central-1.rds.amazonaws.com 3306
📡 Lambda ↔ RDS Snapshot Verification
- Review CloudWatch logs under
/aws/lambda/rds-backup.
- Confirm snapshot creation message and timestamp.
✅ Summary
| Layer |
Validation Method |
Status (Manual/Test/Planned) |
| ALB Public Access |
Browser / curl |
✅ |
| ECS ↔ RDS |
Shell Test (Netcat) |
✅ |
| Lambda ↔ RDS |
CloudWatch Log Verification |
✅ |
| Flow Logs |
CloudWatch Logs |
✅ |