VPC, Security Group, and ALB

Overview

This section presents the configuration steps for VPC, Target Group, ALB, and Security Group in the network layer.

Implementation steps

1. Open the VPC console, choose Create VPC, and use the VPC and more template so AWS generates the base networking components.

2. Name the VPC lunchsync-vpc, use CIDR 10.0.0.0/16, and create 2 AZs, 2 public subnets, and 2 private subnets.

3. Set NAT gateways to None, enable the S3 Gateway Endpoint, and keep Enable DNS hostnames / DNS resolution turned on so private subnets can still reach S3.

4. Create the VPC and verify that AWS provisioned the public/private subnets, route tables, internet gateway, and S3 endpoint.

5. Move to EC2 > Target Groups and begin creating the backend target group.

6. Select Target type = IP addresses, name it lunchsync-tg-backend, and use protocol HTTP on port 8080.

7. Attach the target group to lunchsync-vpc, keep Protocol version = HTTP1, and set the health check path to /health.

8. In Register targets, note that ECS will register task IPs later, so you can continue without adding manual IPs now.

9. Review the final target group settings: protocol HTTP:8080, health check on traffic-port, path /health, and success code 200.

10. After creation, confirm that lunchsync-tg-backend exists and currently has no registered targets.

11. Open EC2 > Load Balancers and start creating a new load balancer.

12. Choose Application Load Balancer.

13. Name it lunchsyn-alb, choose Internet-facing, and keep IPv4.

14. Select lunchsync-vpc and attach the ALB to the two public subnets lunchsync-subnet-public1 and lunchsync-subnet-public2.

15. Create listener HTTP:80 with the action Redirect to HTTPS and status code 301.

16. Create listener HTTPS:443 and forward its default action to lunchsync-tg-backend.

17. In Secure listener settings, select the ACM certificate for lunchsync.space and keep the recommended security policy.

18. Review the integration section as well, especially if you plan to limit ALB access so traffic only comes through CloudFront later.

19. Review the summary page: 2 public subnets, 80 -> 443, and 443 -> lunchsync-tg-backend, then create the load balancer.

20. After the ALB is created, inspect Listeners and rules to confirm that HTTP:80 redirects and HTTPS:443 forwards correctly.

21. Open the Security tab, verify the attached security group, and keep the ALB DNS name for the CloudFront section.

22. Confirm that the ALB security group is now scoped to CloudFront or the relevant prefix list rather than being broadly open to the internet.

23. Open Security Groups to review the groups in the VPC and prepare the backend group.

24. Create backend-sg in lunchsync-vpc, allow inbound Custom TCP 8080 from the ALB/CloudFront security group, and keep outbound All traffic.

25. Review redis-sg and make sure it only allows TCP 6379 from backend-sg.

26. Review rds-sg and make sure it only allows PostgreSQL 5432 from backend-sg.

27. The final overview screenshot is used to quickly verify the workshop security groups as a whole: the ALB/CloudFront group, backend-sg, redis-sg, rds-sg, and the default groups inside the VPC.