The latest articles on Forem by Shreyas Yadav (@shreyas_yadav_e6fbf9ad3f6). https://forem.com/shreyas_yadav_e6fbf9ad3f6 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2755410%2F436c6739-5a53-4526-a270-b8006824466e.jpg https://forem.com/shreyas_yadav_e6fbf9ad3f6 en Shreyas Yadav Mon, 09 Mar 2026 04:07:07 +0000 https://forem.com/shreyas_yadav_e6fbf9ad3f6/i-built-a-nightly-pipeline-that-deploys-my-app-while-i-sleep-3lh4 https://forem.com/shreyas_yadav_e6fbf9ad3f6/i-built-a-nightly-pipeline-that-deploys-my-app-while-i-sleep-3lh4 <blockquote> <p><strong>Stack:</strong> Next.js 14 · Express.js · MySQL 8 · Docker · GitHub Actions · AWS EC2 · AWS ECR · AWS RDS · Route 53 · Nginx · Let's Encrypt</p> </blockquote> <p>I built a <strong>Job Application Tracker</strong>, a full-stack SPA with GitHub OAuth login, and set up an automated nightly pipeline that builds Docker images, runs smoke tests on a temporary EC2, pushes verified images to ECR, and deploys to a persistent QA server, all without manual intervention. Here's exactly how I did it.</p> <h2> Table of Contents </h2> <ol> <li>Architecture Overview</li> <li>The Application: Job Application Tracker</li> <li>Dockerizing the App</li> <li>Local Development with Docker Compose</li> <li>AWS Infrastructure Setup</li> <li>GitHub Actions CI/CD Pipeline</li> <li>Domain Name with Route 53 and SSL with Let's Encrypt</li> <li>Nginx as a Reverse Proxy</li> <li>Security Best Practices</li> <li>Lessons Learned</li> </ol> <h2> 1. Architecture Overview </h2> <p>The project is split into two repositories, a separation of concerns that keeps application code and infrastructure code independent:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Repo</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>job-application-tracker</code></td> <td>Application source code (frontend, backend, Dockerfiles, local docker-compose)</td> </tr> <tr> <td><code>job-application-tracker-infra</code></td> <td>Infrastructure: GitHub Actions workflows, Nginx config, smoke tests, prod docker-compose</td> </tr> </tbody> </table></div> <h3> High-Level Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer pushes to source repo │ ▼ GitHub Actions (infra repo) Nightly at 2 AM UTC │ ┌──────▼──────┐ │ 1. BUILD │ Build Docker images with timestamp tag │ │ Push to AWS ECR └──────┬──────┘ │ ┌──────▼──────┐ │ 2. SMOKE │ Launch temporary EC2 (t3.micro) │ TEST │ Run containers, execute curl tests │ │ Terminate EC2 (pass or fail) └──────┬──────┘ │ (only if tests pass) ┌──────▼──────┐ │ 3. PROMOTE │ Retag timestamp → :latest in ECR └──────┬──────┘ │ ┌──────▼──────┐ │ 4. DEPLOY │ SSH-less deploy via AWS SSM │ TO QA │ Pull :latest from ECR │ │ docker compose up on persistent EC2 └─────────────┘ │ ┌──────▼──────┐ │ QA EC2 │ Nginx (SSL/HTTPS) │ shri. │ Frontend :3000 → / │ software │ Backend :5000 → /api/ └──────┬──────┘ │ ┌──────▼──────┐ │ AWS RDS │ MySQL 8 (persistent, managed) └─────────────┘ </code></pre> </div> <h2> 2. The Application: Job Application Tracker </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fal5g8xak6wldwlk76085.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fal5g8xak6wldwlk76085.png" alt="Job Application Tracker, live at shri.software" width="800" height="492"></a><br> <em>The finished app running at <a href="https://shri.software" rel="noopener noreferrer">shri.software</a> with HTTPS enforced</em></p> <p>The app lets users track their job applications (Applied → Interview → Offer / Rejected). Authentication is handled via <strong>GitHub OAuth</strong> using NextAuth.js, no username/password to manage.</p> <h3> Tech Stack </h3> <ul> <li> <strong>Frontend:</strong> Next.js 14.2 with React 18, Tailwind CSS, NextAuth.js</li> <li> <strong>Backend:</strong> Express.js 4.18, JWT middleware</li> <li> <strong>Database:</strong> MySQL 8 (local via Docker, production via AWS RDS)</li> </ul> <h3> Database Schema </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Users created on first GitHub login</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">users</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INT</span> <span class="n">AUTO_INCREMENT</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">email</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">UNIQUE</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">name</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">),</span> <span class="n">avatar_url</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">provider</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">50</span><span class="p">),</span> <span class="n">provider_account_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">),</span> <span class="k">UNIQUE</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">provider</span><span class="p">,</span> <span class="n">provider_account_id</span><span class="p">),</span> <span class="n">created_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="n">updated_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">ON</span> <span class="k">UPDATE</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="p">);</span> <span class="c1">-- Each row belongs to one user (CASCADE delete keeps DB clean)</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">job_applications</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INT</span> <span class="n">AUTO_INCREMENT</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">company</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">role</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">status</span> <span class="nb">ENUM</span><span class="p">(</span><span class="s1">'applied'</span><span class="p">,</span><span class="s1">'interview'</span><span class="p">,</span><span class="s1">'offer'</span><span class="p">,</span><span class="s1">'rejected'</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="s1">'applied'</span><span class="p">,</span> <span class="n">date_applied</span> <span class="nb">DATE</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">INT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">FOREIGN</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">REFERENCES</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="n">updated_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">ON</span> <span class="k">UPDATE</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="p">);</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flemw1j5j9jtwyqrdbp97.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flemw1j5j9jtwyqrdbp97.png" alt="App dashboard showing an application entry" width="800" height="492"></a><br> <em>Dashboard view, filter by status, edit or delete entries inline</em></p> <h3> Backend API </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Method</th> <th>Route</th> <th>Auth</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>GET</td> <td><code>/health</code></td> <td>None</td> <td>Health check for monitoring</td> </tr> <tr> <td>POST</td> <td><code>/api/users/upsert</code></td> <td>None</td> <td>Called by NextAuth on login</td> </tr> <tr> <td>GET</td> <td><code>/api/applications</code></td> <td>JWT</td> <td>List user's applications</td> </tr> <tr> <td>POST</td> <td><code>/api/applications</code></td> <td>JWT</td> <td>Create application</td> </tr> <tr> <td>PUT</td> <td><code>/api/applications/:id</code></td> <td>JWT</td> <td>Update application</td> </tr> <tr> <td>DELETE</td> <td><code>/api/applications/:id</code></td> <td>JWT</td> <td>Delete application</td> </tr> </tbody> </table></div> <h3> Authentication Flow </h3> <p>NextAuth.js handles the GitHub OAuth dance. The key insight: after OAuth completes, we generate a JWT signed with <code>NEXTAUTH_SECRET</code> that the frontend sends to the backend on every API call.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// frontend/src/app/api/auth/[...nextauth]/route.js (simplified)</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span><span class="nc">GitHubProvider</span><span class="p">({</span> <span class="nx">clientId</span><span class="p">,</span> <span class="nx">clientSecret</span> <span class="p">})],</span> <span class="na">callbacks</span><span class="p">:</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">signIn</span><span class="p">({</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">account</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// Store GitHub identity in our DB on first login</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_API_URL</span><span class="p">}</span><span class="s2">/api/users/upsert`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">provider</span><span class="p">:</span> <span class="nx">account</span><span class="p">.</span><span class="nx">provider</span><span class="p">,</span> <span class="na">provider_account_id</span><span class="p">:</span> <span class="nx">account</span><span class="p">.</span><span class="nx">providerAccountId</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">},</span> <span class="k">async</span> <span class="nf">session</span><span class="p">({</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">token</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// Mint a JWT for API calls; embed it in the session</span> <span class="nx">session</span><span class="p">.</span><span class="nx">backendToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">token</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">token</span><span class="p">.</span><span class="nx">email</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXTAUTH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1h</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="k">return</span> <span class="nx">session</span><span class="p">;</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>The backend verifies this token on every protected route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// backend/src/middleware/auth.js</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No token</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXTAUTH_SECRET</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="c1">// { userId, email }</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h2> 3. Dockerizing the App </h2> <h3> Backend Dockerfile </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:20-alpine</span> <span class="c"># Non-root user for security</span> <span class="k">RUN </span>addgroup <span class="nt">-S</span> shri <span class="o">&amp;&amp;</span> adduser <span class="nt">-S</span> shri <span class="nt">-G</span> shri <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package.json .</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="nt">--production</span> <span class="k">COPY</span><span class="s"> src/ ./src/</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> shri:shri /app <span class="k">USER</span><span class="s"> shri</span> <span class="k">EXPOSE</span><span class="s"> 5000</span> <span class="k">CMD</span><span class="s"> ["node", "src/index.js"]</span> </code></pre> </div> <p>Key decisions:</p> <ul> <li> <strong>Alpine base</strong>, minimal attack surface, smaller image (~50 MB vs ~900 MB for <code>node:20</code>)</li> <li> <strong>Non-root user</strong>, if the container is compromised, the attacker can't escalate to root on the host</li> <li> <strong><code>--production</code> install</strong>, excludes dev dependencies from the final image</li> </ul> <h3> Frontend Dockerfile (Multi-Stage Build) </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># --- Stage 1: Build ---</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:20-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package.json package-lock.json ./</span> <span class="k">RUN </span>npm ci <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>npm run build <span class="c"># --- Stage 2: Runtime ---</span> <span class="k">FROM</span><span class="s"> node:20-alpine</span> <span class="k">RUN </span>addgroup <span class="nt">-S</span> shri <span class="o">&amp;&amp;</span> adduser <span class="nt">-S</span> shri <span class="nt">-G</span> shri <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy only the artifacts needed to run</span> <span class="k">COPY</span><span class="s"> --from=builder /app/.next ./.next</span> <span class="k">COPY</span><span class="s"> --from=builder /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> --from=builder /app/package.json ./</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> shri:shri /app <span class="k">USER</span><span class="s"> shri</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node_modules/.bin/next", "start"]</span> </code></pre> </div> <p>Multi-stage builds are critical for Next.js, the build stage pulls in all dev dependencies and compiles TypeScript/JSX. The final stage only contains the compiled output, shrinking the image dramatically.</p> <h2> 4. Local Development with Docker Compose </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbenkoep5uq2jumpwn5l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbenkoep5uq2jumpwn5l.png" alt="App running locally at localhost:9000" width="800" height="492"></a><br> <em>The app running locally via Docker Compose at localhost:9000</em></p> <p>The source repo's <code>docker-compose.yml</code> wires everything together for local development with a single command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.yml</span> <span class="na">services</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mysql:8</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MYSQL_ROOT_PASSWORD</span><span class="pi">:</span> <span class="s">${MYSQL_ROOT_PASSWORD}</span> <span class="na">MYSQL_DATABASE</span><span class="pi">:</span> <span class="s">${MYSQL_DATABASE}</span> <span class="na">MYSQL_USER</span><span class="pi">:</span> <span class="s">${MYSQL_USER}</span> <span class="na">MYSQL_PASSWORD</span><span class="pi">:</span> <span class="s">${MYSQL_PASSWORD}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">db_data:/var/lib/mysql</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">mysqladmin"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">ping"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-h"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">localhost"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">./backend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">10000:5000"</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">DB_HOST</span><span class="pi">:</span> <span class="s">db</span> <span class="na">DB_NAME</span><span class="pi">:</span> <span class="s">${MYSQL_DATABASE}</span> <span class="na">DB_USER</span><span class="pi">:</span> <span class="s">${MYSQL_USER}</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">${MYSQL_PASSWORD}</span> <span class="na">NEXTAUTH_SECRET</span><span class="pi">:</span> <span class="s">${NEXTAUTH_SECRET}</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="c1"># Wait for MySQL, not just the container</span> <span class="na">frontend</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">./frontend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9000:3000"</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">NEXTAUTH_SECRET</span><span class="pi">:</span> <span class="s">${NEXTAUTH_SECRET}</span> <span class="na">NEXTAUTH_URL</span><span class="pi">:</span> <span class="s">http://localhost:9000</span> <span class="na">GITHUB_CLIENT_ID</span><span class="pi">:</span> <span class="s">${GITHUB_CLIENT_ID}</span> <span class="na">GITHUB_CLIENT_SECRET</span><span class="pi">:</span> <span class="s">${GITHUB_CLIENT_SECRET}</span> <span class="na">NEXT_PUBLIC_API_URL</span><span class="pi">:</span> <span class="s">http://localhost:10000</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">db_data</span><span class="pi">:</span> </code></pre> </div> <p>To get started locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Clone the source repo</span> git clone https://github.com/Shreyas-Yadav/job-application-tracker <span class="nb">cd </span>job-application-tracker <span class="c"># 2. Copy and fill in the env file</span> <span class="nb">cp</span> .env.example .env <span class="c"># Edit .env with your GitHub OAuth credentials and secrets</span> <span class="c"># 3. Launch everything</span> docker compose up <span class="c"># App available at:</span> <span class="c"># Frontend: http://localhost:9000</span> <span class="c"># Backend: http://localhost:10000</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F66g8ukuhpdr2n13wq028.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F66g8ukuhpdr2n13wq028.png" alt="docker compose up --build output in terminal" width="800" height="411"></a><br> <em>All three containers (db, backend, frontend) starting up successfully</em></p> <p>The <code>depends_on</code> with <code>condition: service_healthy</code> is important, the backend waits for MySQL to be truly ready (not just the container running) before starting.</p> <h2> 5. AWS Infrastructure Setup </h2> <h3> 5.1 GitHub OAuth App </h3> <p>Go to GitHub → Settings → Developer Settings → OAuth Apps → New OAuth App:</p> <ul> <li> <strong>Homepage URL:</strong> <code>https://shri.software</code> </li> <li> <strong>Authorization callback URL:</strong> <code>https://shri.software/api/auth/callback/github</code> </li> </ul> <p>Save the <code>Client ID</code> and <code>Client Secret</code>, these go into GitHub Actions secrets.</p> <h3> 5.2 AWS ECR (Elastic Container Registry) </h3> <p>Create two private repositories to store Docker images:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F28990urbh32rkkkae6nm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F28990urbh32rkkkae6nm.png" alt="AWS ECR, both repositories" width="800" height="492"></a><br> <em>Both ECR repositories created and ready to receive images from the CI pipeline</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr create-repository <span class="nt">--repository-name</span> job-tracker-backend <span class="nt">--region</span> us-east-1 aws ecr create-repository <span class="nt">--repository-name</span> job-tracker-frontend <span class="nt">--region</span> us-east-1 </code></pre> </div> <h3> 5.3 AWS RDS (MySQL 8) </h3> <p>Create a MySQL 8 RDS instance in the AWS Console:</p> <ol> <li>Engine: MySQL 8.0</li> <li>Instance class: <code>db.t3.micro</code> (Free Tier eligible)</li> <li>Storage: 20 GB gp2</li> <li> <strong>Important:</strong> Place in the same VPC as your EC2 instances</li> <li>Set a master username and password</li> <li>Create a database: <code>jobtracker</code> </li> <li>Note the endpoint, it looks like <code>job-tracker-db.xxx.us-east-1.rds.amazonaws.com</code> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F84vz82fy48tik7xtv3ob.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F84vz82fy48tik7xtv3ob.png" alt="AWS RDS, job-tracker-db instance" width="800" height="485"></a><br> <em>RDS MySQL 8 instance showing "Available" status with the endpoint used by the backend</em></p> <p>Why RDS instead of a containerized DB? Managed backups, automated patching, and persistence across EC2 restarts without dealing with EBS volumes.</p> <h3> 5.4 QA EC2 Instance </h3> <p>Launch a persistent EC2 instance (Ubuntu 22.04, <code>t3.micro</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># After SSH-ing in, install Docker and the SSM agent</span> <span class="nb">sudo </span>apt-get update <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> docker.io docker-compose-plugin <span class="c"># Enable SSM agent (usually pre-installed on Ubuntu 22.04 AMIs)</span> <span class="nb">sudo </span>systemctl <span class="nb">enable </span>amazon-ssm-agent <span class="nb">sudo </span>systemctl start amazon-ssm-agent <span class="c"># Allow ubuntu user to run docker without sudo</span> <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker ubuntu </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ej7bvqjekbiv12qqsrv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ej7bvqjekbiv12qqsrv.png" alt="AWS EC2, QA instance details" width="800" height="492"></a><br> <em>The persistent QA EC2 instance with LabRole attached, running Docker and Nginx</em></p> <p>Attach the <strong>LabRole</strong> to this EC2 instance. In AWS Academy, <code>LabRole</code> is a pre-provisioned IAM role that already has the permissions needed for SSM, ECR, and EC2 operations, you don't create it yourself, it's provided by the lab environment.</p> <h3> 5.5 IAM Credentials for GitHub Actions (AWS Academy) </h3> <p>AWS Academy accounts don't support OIDC federation or long-lived IAM users. Instead, you get temporary session credentials from the <strong>AWS Details</strong> panel in the Vocareum lab console. These rotate every session.</p> <p>Store them as GitHub Secrets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS_ACCESS_KEY_ID → from AWS Details panel AWS_SECRET_ACCESS_KEY → from AWS Details panel AWS_SESSION_TOKEN → from AWS Details panel (required for temporary credentials) </code></pre> </div> <p>Then configure credentials in your workflow using the static credential method:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-session-token</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SESSION_TOKEN }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> </code></pre> </div> <blockquote> <p><strong>Note:</strong> AWS Academy session credentials expire when the lab session ends (~4 hours). You'll need to update these three secrets each time you start a new lab session. This is a limitation of the Academy environment, in a real AWS account you would use OIDC to avoid static credentials entirely.</p> </blockquote> <h2> 6. GitHub Actions CI/CD Pipeline </h2> <p>The infra repo contains five workflow files that chain together via <code>workflow_call</code>. Each does one thing well.</p> <h3> 6.1 Nightly Orchestrator (<code>nightly.yml</code>) </h3> <p>This is the entry point, triggered on a schedule or manually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/nightly.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Nightly Build and Deploy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cron</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0</span><span class="nv"> </span><span class="s">2</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*'</span> <span class="c1"># 2 AM UTC every day</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="c1"># Allow manual triggers</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">setup</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">image_tag</span><span class="pi">:</span> <span class="s">${{ steps.tag.outputs.image_tag }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">tag</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "image_tag=$(date +%Y%m%d%H%M%S)" &gt;&gt; $GITHUB_OUTPUT</span> <span class="na">build</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">setup</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">./.github/workflows/build.yml</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image_tag</span><span class="pi">:</span> <span class="s">${{ needs.setup.outputs.image_tag }}</span> <span class="na">secrets</span><span class="pi">:</span> <span class="s">inherit</span> <span class="na">smoke-test</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">setup</span><span class="pi">,</span> <span class="nv">build</span><span class="pi">]</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">./.github/workflows/smoke-test.yml</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image_tag</span><span class="pi">:</span> <span class="s">${{ needs.setup.outputs.image_tag }}</span> <span class="na">secrets</span><span class="pi">:</span> <span class="s">inherit</span> <span class="na">promote</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">setup</span><span class="pi">,</span> <span class="nv">smoke-test</span><span class="pi">]</span> <span class="c1"># Only runs if smoke test passes</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">./.github/workflows/promote.yml</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image_tag</span><span class="pi">:</span> <span class="s">${{ needs.setup.outputs.image_tag }}</span> <span class="na">secrets</span><span class="pi">:</span> <span class="s">inherit</span> <span class="na">deploy-qa</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">promote</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">./.github/workflows/deploy-qa.yml</span> <span class="na">secrets</span><span class="pi">:</span> <span class="s">inherit</span> </code></pre> </div> <p>The timestamp tag (e.g., <code>20250307021530</code>) makes every build uniquely identifiable. If a smoke test fails, the image stays tagged only with the timestamp, it's never promoted to <code>:latest</code> and never deployed.</p> <h3> 6.2 Build and Push to ECR (<code>build.yml</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/build.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and Push to ECR</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_call</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">image_tag</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout source code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">Shreyas-Yadav/job-application-tracker</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.SOURCE_REPO_TOKEN }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-session-token</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SESSION_TOKEN }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to ECR</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push backend</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/job-tracker-backend:${{ inputs.image_tag }} ./backend</span> <span class="s">docker push ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/job-tracker-backend:${{ inputs.image_tag }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push frontend</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/job-tracker-frontend:${{ inputs.image_tag }} ./frontend</span> <span class="s">docker push ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/job-tracker-frontend:${{ inputs.image_tag }}</span> </code></pre> </div> <h3> 6.3 Smoke Test on Temporary EC2 (<code>smoke-test.yml</code>) </h3> <p>This is the most interesting part. Instead of testing on the QA instance (risking breaking it), we launch a fresh, temporary EC2 for every test run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/smoke-test.yml</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">smoke-test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Launch temporary EC2</span> <span class="na">id</span><span class="pi">:</span> <span class="s">launch</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">INSTANCE_ID=$(aws ec2 run-instances \</span> <span class="s">--image-id ${{ secrets.TEMP_EC2_AMI }} \</span> <span class="s">--instance-type t3.micro \</span> <span class="s">--subnet-id ${{ secrets.TEMP_EC2_SUBNET_ID }} \</span> <span class="s">--security-group-ids ${{ secrets.TEMP_EC2_SG_ID }} \</span> <span class="s">--iam-instance-profile Name=LabInstanceProfile \</span> <span class="s">--query 'Instances[0].InstanceId' \</span> <span class="s">--output text)</span> <span class="s">echo "instance_id=$INSTANCE_ID" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for SSM agent</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Wait up to 4 minutes for the instance to boot and SSM to connect</span> <span class="s">for i in {1..24}; do</span> <span class="s">STATUS=$(aws ssm describe-instance-information \</span> <span class="s">--filters "Key=InstanceIds,Values=${{ steps.launch.outputs.instance_id }}" \</span> <span class="s">--query 'InstanceInformationList[0].PingStatus' \</span> <span class="s">--output text 2&gt;/dev/null || echo "None")</span> <span class="s">[ "$STATUS" = "Online" ] &amp;&amp; break</span> <span class="s">sleep 10</span> <span class="s">done</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run smoke tests via SSM</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">COMMAND_ID=$(aws ssm send-command \</span> <span class="s">--instance-ids ${{ steps.launch.outputs.instance_id }} \</span> <span class="s">--document-name "AWS-RunShellScript" \</span> <span class="s">--parameters commands='[</span> <span class="s">"aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com",</span> <span class="s">"IMAGE_TAG=${{ inputs.image_tag }} docker compose -f /tmp/docker-compose.smoke.yml up -d",</span> <span class="s">"bash /tmp/smoke-test.sh"</span> <span class="s">]' \</span> <span class="s">--query 'Command.CommandId' --output text)</span> <span class="s"># Poll until complete</span> <span class="s">aws ssm wait command-executed \</span> <span class="s">--command-id $COMMAND_ID \</span> <span class="s">--instance-id ${{ steps.launch.outputs.instance_id }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terminate temporary EC2</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="c1"># Clean up even if tests fail</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ec2 terminate-instances \</span> <span class="s">--instance-ids ${{ steps.launch.outputs.instance_id }}</span> </code></pre> </div> <p>The <code>smoke-test.sh</code> script runs three checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">BACKEND</span><span class="o">=</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="s2">"http://localhost:5000"</span><span class="k">}</span> <span class="nv">FRONTEND</span><span class="o">=</span><span class="k">${</span><span class="nv">2</span><span class="k">:-</span><span class="s2">"http://localhost:3000"</span><span class="k">}</span> <span class="c"># Wait up to 2 minutes for backend to be ready</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..12<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-sf</span> <span class="s2">"</span><span class="nv">$BACKEND</span><span class="s2">/health"</span> <span class="o">&gt;</span> /dev/null <span class="o">&amp;&amp;</span> <span class="nb">break echo</span> <span class="s2">"Waiting for backend... (</span><span class="nv">$i</span><span class="s2">/12)"</span> <span class="nb">sleep </span>10 <span class="k">done</span> <span class="c"># Test 1: Backend health check</span> curl <span class="nt">-sf</span> <span class="s2">"</span><span class="nv">$BACKEND</span><span class="s2">/health"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s1">'"status":"ok"'</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"FAIL: /health"</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"PASS: Backend /health returns ok"</span> <span class="c"># Test 2: Auth middleware is working (unauthenticated request → 401)</span> <span class="nv">STATUS</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="s2">"</span><span class="nv">$BACKEND</span><span class="s2">/api/applications"</span><span class="si">)</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$STATUS</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"401"</span> <span class="o">]</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"FAIL: /api/applications should return 401, got </span><span class="nv">$STATUS</span><span class="s2">"</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"PASS: /api/applications correctly requires authentication"</span> <span class="c"># Test 3: Frontend is serving pages</span> <span class="nv">STATUS</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="s2">"</span><span class="nv">$FRONTEND</span><span class="s2">"</span><span class="si">)</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$STATUS</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"200"</span> <span class="o">]</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"FAIL: Frontend returned </span><span class="nv">$STATUS</span><span class="s2">"</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"PASS: Frontend is serving pages"</span> <span class="nb">echo</span> <span class="s2">"All smoke tests passed!"</span> </code></pre> </div> <h3> 6.4 Promote Image (<code>promote.yml</code>) </h3> <p>Once smoke tests pass, we retag the timestamp image as <code>:latest</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/promote.yml</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">promote</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">repo</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">job-tracker-backend</span><span class="pi">,</span> <span class="nv">job-tracker-frontend</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Retag image as latest</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">REGISTRY="${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com"</span> <span class="s"># Fetch the manifest of the tested image</span> <span class="s">MANIFEST=$(aws ecr batch-get-image \</span> <span class="s">--repository-name ${{ matrix.repo }} \</span> <span class="s">--image-ids imageTag=${{ inputs.image_tag }} \</span> <span class="s">--query 'images[0].imageManifest' --output text)</span> <span class="s"># Push the same manifest with the :latest tag</span> <span class="s">aws ecr put-image \</span> <span class="s">--repository-name ${{ matrix.repo }} \</span> <span class="s">--image-tag latest \</span> <span class="s">--image-manifest "$MANIFEST"</span> </code></pre> </div> <p>This approach (retagging the manifest) is instant, no re-pulling or re-pushing layers. The <code>:latest</code> image is byte-for-byte identical to the tested timestamp image.</p> <h3> 6.5 Deploy to QA EC2 (<code>deploy-qa.yml</code>) </h3> <p>The final step deploys to the persistent QA server using AWS SSM, no SSH keys needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy-qa.yml</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check QA EC2 is running</span> <span class="na">id</span><span class="pi">:</span> <span class="s">check</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">STATE=$(aws ec2 describe-instances \</span> <span class="s">--instance-ids ${{ secrets.QA_EC2_INSTANCE_ID }} \</span> <span class="s">--query 'Reservations[0].Instances[0].State.Name' \</span> <span class="s">--output text)</span> <span class="s">echo "state=$STATE" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sync config files</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.check.outputs.state == 'running'</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Base64-encode configs and decode them on the EC2 to avoid quoting issues</span> <span class="s">COMPOSE_B64=$(base64 -w0 docker-compose.prod.yml)</span> <span class="s">NGINX_B64=$(base64 -w0 nginx/nginx.conf)</span> <span class="s">aws ssm send-command \</span> <span class="s">--instance-ids ${{ secrets.QA_EC2_INSTANCE_ID }} \</span> <span class="s">--document-name "AWS-RunShellScript" \</span> <span class="s">--parameters commands="[</span> <span class="s">\"echo $COMPOSE_B64 | base64 -d &gt; /home/ubuntu/app/docker-compose.prod.yml\",</span> <span class="s">\"echo $NGINX_B64 | base64 -d &gt; /etc/nginx/sites-enabled/default\",</span> <span class="s">\"nginx -t &amp;&amp; systemctl reload nginx\"</span> <span class="s">]"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy containers</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.check.outputs.state == 'running'</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ssm send-command \</span> <span class="s">--instance-ids ${{ secrets.QA_EC2_INSTANCE_ID }} \</span> <span class="s">--document-name "AWS-RunShellScript" \</span> <span class="s">--parameters commands="[</span> <span class="s">\"aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com\",</span> <span class="s">\"cd /home/ubuntu/app &amp;&amp; docker compose -f docker-compose.prod.yml pull\",</span> <span class="s">\"DB_HOST=${{ secrets.DB_HOST }} DB_NAME=${{ secrets.DB_NAME }} DB_USER=${{ secrets.DB_USER }} DB_PASSWORD=${{ secrets.DB_PASSWORD }} NEXTAUTH_SECRET=${{ secrets.NEXTAUTH_SECRET }} docker compose -f docker-compose.prod.yml up -d\",</span> <span class="s">\"sleep 10 &amp;&amp; curl -sf http://localhost:5000/health\"</span> <span class="s">]"</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn1b2dve7g5zqtn2j5yah.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn1b2dve7g5zqtn2j5yah.png" alt="GitHub Actions, Nightly Build pipeline all green" width="800" height="492"></a><br> <em>All 5 jobs in the nightly pipeline completing successfully in 5m 26s</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6kt0c0otongxxwxpnufv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6kt0c0otongxxwxpnufv.png" alt="GitHub Actions, deploy-qa job steps" width="800" height="492"></a><br> <em>The deploy-qa job expanded showing each SSM step: sync config files, deploy via docker compose, health check</em></p> <h2> 7. Domain Name with Route 53 and SSL with Let's Encrypt </h2> <h3> 7.1 Get a Domain and Migrate to Route 53 </h3> <ol> <li>Purchase a domain on <a href="https://www.name.com" rel="noopener noreferrer">Name.com</a> (or any registrar)</li> <li>Create a <strong>Hosted Zone</strong> in AWS Route 53 for your domain</li> <li>Note the 4 NS (nameserver) records Route 53 provides</li> <li>In Name.com's DNS settings, replace the default nameservers with Route 53's NS records</li> <li>Wait 24-48 hours for propagation</li> </ol> <h3> 7.2 Create DNS Records </h3> <p>In Route 53, create an <strong>A record</strong> pointing to your QA EC2's public IP:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa126gjqoetu10iknoqnp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa126gjqoetu10iknoqnp.png" alt="Route 53, shri.software hosted zone" width="800" height="492"></a><br> <em>Route 53 hosted zone for shri.software showing the A record, NS, and SOA records</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Type: A Name: shri.software Value: &lt;EC2 Public IP&gt; TTL: 300 </code></pre> </div> <blockquote> <p><strong>Note:</strong> If you stop/start EC2 instances, the public IP changes. Consider using an Elastic IP for the QA instance to keep the IP stable.</p> </blockquote> <h3> 7.3 Install Certbot and Get an SSL Certificate </h3> <p>SSH into your QA EC2 and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Certbot with the Nginx plugin</span> <span class="nb">sudo </span>apt-get update <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> certbot python3-certbot-nginx <span class="c"># Obtain a certificate (Certbot automatically configures Nginx)</span> <span class="nb">sudo </span>certbot <span class="nt">--nginx</span> <span class="nt">-d</span> shri.software <span class="c"># Verify auto-renewal is configured</span> <span class="nb">sudo </span>systemctl status certbot.timer <span class="nb">sudo </span>certbot renew <span class="nt">--dry-run</span> </code></pre> </div> <p>Certbot will:</p> <ol> <li>Verify domain ownership by placing a file at <code>/.well-known/acme-challenge/</code> </li> <li>Download the certificate to <code>/etc/letsencrypt/live/shri.software/</code> </li> <li>Modify your Nginx config to use the certificate</li> </ol> <h2> 8. Nginx as a Reverse Proxy </h2> <p>Nginx sits in front of both services, routing traffic and terminating SSL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># /etc/nginx/sites-enabled/default</span> <span class="c1"># Redirect HTTP to HTTPS</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">shri.software</span><span class="p">;</span> <span class="kn">return</span> <span class="mi">301</span> <span class="s">https://</span><span class="nv">$host$request_uri</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># HTTPS server</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">shri.software</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/letsencrypt/live/shri.software/fullchain.pem</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/letsencrypt/live/shri.software/privkey.pem</span><span class="p">;</span> <span class="c1"># NextAuth routes must go to the frontend (Next.js handles them)</span> <span class="kn">location</span> <span class="n">/api/auth/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://localhost:3000</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="s">https</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># All other /api/ routes go to Express backend</span> <span class="kn">location</span> <span class="n">/api/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://localhost:5000</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Everything else goes to Next.js frontend</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://localhost:3000</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="s">https</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The order of <code>location</code> blocks matters: <code>/api/auth/</code> must be listed before <code>/api/</code> because Nginx uses longest prefix matching.</p> <h2> 9. Security Best Practices </h2> <p>Here's what I did deliberately for security:</p> <h3> Containers </h3> <ul> <li> <strong>Non-root users</strong> in every container (<code>adduser -S shri</code>)</li> <li> <strong>Alpine base images</strong>, smaller surface area, fewer CVEs</li> <li> <strong><code>--production</code> npm install</strong>, dev tools never ship to production</li> <li> <strong>Multi-stage builds</strong>, build tools (compilers, test runners) never end up in production images</li> </ul> <h3> Authentication </h3> <ul> <li> <strong>GitHub OAuth</strong>, no password storage, no credential database to protect</li> <li> <strong>Short-lived JWTs</strong> (1 hour expiry) between frontend and backend</li> <li> <strong>User-scoped queries</strong>, every DB query filters by <code>user_id</code> from the verified JWT; users cannot access each other's data</li> </ul> <h3> Infrastructure </h3> <ul> <li> <strong>No SSH keys</strong>, AWS SSM for all remote execution; port 22 is closed</li> <li> <strong>LabRole on EC2</strong>, AWS Academy's pre-provisioned role grants SSM and ECR access without custom policy authoring</li> <li> <strong>RDS in private subnet</strong>, database is not publicly accessible</li> <li> <strong>Secrets in GitHub Secrets</strong>, never hardcoded in workflow files or checked into git</li> <li> <strong>HTTPS only</strong>, Nginx enforces HTTP → HTTPS redirect at the server level</li> </ul> <h3> Secrets Management </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5agkpsh2eohc4ybuqrwz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5agkpsh2eohc4ybuqrwz.png" alt="GitHub Secrets, all 16 secrets configured" width="800" height="492"></a><br> <em>All secrets stored in GitHub, values are never visible after being saved</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># GitHub Secrets used in this project:</span> AWS_ACCOUNT_ID <span class="c"># AWS account number</span> AWS_ACCESS_KEY_ID <span class="c"># From AWS Academy lab details panel</span> AWS_SECRET_ACCESS_KEY <span class="c"># From AWS Academy lab details panel</span> AWS_SESSION_TOKEN <span class="c"># From AWS Academy lab details panel (rotates each session)</span> TEMP_EC2_AMI <span class="c"># AMI ID for smoke test instances</span> TEMP_EC2_SUBNET_ID <span class="c"># VPC subnet for temporary instances</span> TEMP_EC2_SG_ID <span class="c"># Security group ID</span> QA_EC2_INSTANCE_ID <span class="c"># Persistent QA EC2 instance ID</span> DB_HOST <span class="c"># RDS endpoint</span> DB_NAME / DB_USER / DB_PASSWORD NEXTAUTH_SECRET <span class="c"># Shared secret for JWT signing</span> GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET <span class="c"># OAuth app credentials</span> SOURCE_REPO_TOKEN <span class="c"># PAT to check out source repo from infra repo</span> </code></pre> </div> <h2> Conclusion </h2> <p>The full pipeline, from a git push to a verified deployment on HTTPS, runs without any manual steps. The key architectural wins:</p> <ul> <li> <strong>Two repos</strong> for clean separation of application vs. infrastructure concerns</li> <li> <strong>Timestamp-tagged images</strong> with promotion to <code>:latest</code> only after passing tests</li> <li> <strong>Ephemeral test infrastructure</strong> that is created and destroyed per pipeline run</li> <li> <strong>SSM-based deployment</strong> with no SSH keys to manage</li> <li> <strong>Route 53 + Let's Encrypt</strong> for production-grade DNS and SSL at zero cost</li> </ul> <p>The live app is running at <code>https://shri.software</code>. The source code is split across:</p> <ul> <li>Source repo: <code>github.com/Shreyas-Yadav/job-application-tracker</code> </li> <li>Infra repo: <code>github.com/Shreyas-Yadav/job-application-tracker-infra</code> </li> </ul> devops docker aws cicd Shreyas Yadav Tue, 14 Oct 2025 22:26:38 +0000 https://forem.com/shreyas_yadav_e6fbf9ad3f6/building-high-availability-web-apps-on-aws-auto-scaling-alb-and-private-subnets-48a9 https://forem.com/shreyas_yadav_e6fbf9ad3f6/building-high-availability-web-apps-on-aws-auto-scaling-alb-and-private-subnets-48a9 <p>This guide, we’ll see how to deploy a production ready weather application on AWS with enterprise grade architecture. We’l' use <strong>Auto Scaling Groups</strong> and <strong>Application Load Balancers</strong> for high availability, <strong>public-private subnets</strong> for security isolation, and <strong>Amazon ECR</strong> for containerized deployments. To make it production complete, we'll configure a custom domain with <strong>Route 53</strong> and enable HTTPS using <strong>AWS Certificate Manager</strong>. The result? A fully scalable, secure web application accessible via your own domain with SSL encryption exactly how professional applications should be deployed.</p> <p><strong>GitHub Repository:</strong> <a href="https://github.com/Shreyas-Yadav/weather-aws" rel="noopener noreferrer">https://github.com/Shreyas-Yadav/weather-aws</a></p> <p>Clone the above repo and continue. </p> <p>Our weather application uses a multi-tier architecture on AWS that separates the frontend and backend for better security and scalability. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu19yqto7lwty49fhm96w.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu19yqto7lwty49fhm96w.png" alt=" " width="800" height="446"></a></p> <h2> Step 1: Creating the VPC </h2> <h3> What is a VPC? </h3> <p>A VPC (Virtual Private Cloud) is your isolated network in AWS. Think of it as your own private data center in the cloud where all your servers and resources will live securely.</p> <h3> Setting Up the VPC </h3> <p><strong>Navigate to VPC Creation</strong></p> <p>Go to AWS Console → Search "VPC" → Click "Your VPCs" → Click <strong>"Create VPC"</strong></p> <p><strong>Choose "VPC and more"</strong></p> <p>You'll see two options:</p> <ul> <li> <strong>VPC only</strong> - Manual setup (tedious)</li> <li> <strong>VPC and more</strong> - Automatic setup(recommended)</li> </ul> <p>Select <strong>"VPC and more"</strong> - AWS will automatically create all networking components for you.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6qflqvjwu1rk8x3crzsb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6qflqvjwu1rk8x3crzsb.png" alt=" " width="800" height="815"></a></p> <p><strong>Basic Configuration</strong></p> <p><strong>Name tag auto-generation:</strong> <code>weather-app</code><br> This prefix will be added to all resources, making them easy to identify.</p> <p><strong>IPv4 CIDR block:</strong> <code>10.0.0.0/16</code><br> This is your VPC's IP address range (65,536 available IPs).</p> <p><strong>IPv6:</strong> Select "No IPv6 CIDR block"<br> <strong>Tenancy:</strong> Keep as "Default"</p> <p><strong>Availability Zones and Subnets</strong></p> <p><strong>Number of Availability Zones:</strong> Select <strong>2</strong><br> This is crucial for high availability - if one data center fails, your app continues running in the other.</p> <p><strong>Number of public subnets:</strong> <strong>2</strong><br> These will host your frontend servers (internet-accessible)</p> <p><strong>Number of private subnets:</strong> <strong>2</strong><br> These will host your backend servers (hidden from internet)</p> <p><strong>Subnet CIDR blocks:</strong> Keep the defaults:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Public subnet 1a: 10.0.0.0/20 Public subnet 1b: 10.0.16.0/20 Private subnet 1a: 10.0.128.0/20 Private subnet 1b: 10.0.144.0/20 </code></pre> </div> <p><strong>NAT Gateways</strong></p> <p>Select <strong>"1 per AZ"</strong> (creates 2 total)</p> <p><strong>What's a NAT Gateway?</strong><br> It allows your private backend servers to access the internet (for API calls, updates) while staying hidden from incoming internet traffic.</p> <p><strong>Why 2 NAT Gateways?</strong><br> High availability each private subnet gets its own NAT Gateway for redundancy.</p> <p><strong>Additional Settings</strong></p> <p><strong>VPC endpoints:</strong> None<br> <strong>DNS options:</strong> Enable both</p> <ul> <li>Enable DNS hostnames</li> <li>Enable DNS resolution</li> </ul> <p><strong>Create VPC</strong></p> <p>Click <strong>"Create VPC"</strong> and wait 2-3 minutes.</p> <p>AWS will create:</p> <ul> <li>1 VPC</li> <li>4 Subnets (2 public, 2 private) </li> <li>1 Internet Gateway</li> <li>2 NAT Gateways</li> <li>Route tables</li> </ul> <h2> Step 2: Creating Security Groups </h2> <h3> What are Security Groups? </h3> <p>Security Groups are virtual firewalls that control inbound and outbound traffic to your AWS resources.</p> <p>We'll create 4 security groups to control traffic between components.</p> <h3> Security Group 1: Frontend ALB Security Group </h3> <p><strong>Navigate:</strong> EC2 → Security Groups → Create security group</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl6m8einthgud0t5ayoon.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl6m8einthgud0t5ayoon.png" alt=" " width="800" height="437"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: weather-frontend-alb-sg Description: Security group for Frontend Application Load Balancer VPC: weather-app-vpc </code></pre> </div> <p><strong>Inbound Rules:</strong></p> <ul> <li>HTTP (80) from 0.0.0.0/0</li> <li>HTTPS (443) from 0.0.0.0/0</li> </ul> <p><strong>Outbound Rules:</strong> All traffic (default)</p> <h3> Security Group 2: Frontend EC2 Security Group </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: weather-frontend-sg Description: Security group for Frontend EC2 instances VPC: weather-app-vpc </code></pre> </div> <p><strong>Inbound Rules:</strong></p> <ul> <li>HTTP (80) from Custom → <code>weather-frontend-alb-sg</code> </li> <li>SSH (22) from My IP (optional for debugging)</li> </ul> <p><strong>Outbound Rules:</strong> All traffic (default)</p> <h3> Security Group 3: Backend ALB Security Group </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: weather-backend-alb-sg Description: Security group for Backend Application Load Balancer VPC: weather-app-vpc </code></pre> </div> <p><strong>Inbound Rules:</strong></p> <ul> <li>HTTP (80) from Custom → <code>weather-frontend-sg</code> </li> </ul> <p><strong>Outbound Rules:</strong> All traffic (default)</p> <h3> Security Group 4: Backend EC2 Security Group </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: weather-backend-sg Description: Security group for Backend EC2 instances VPC: weather-app-vpc </code></pre> </div> <p><strong>Inbound Rules:</strong></p> <ul> <li>Custom TCP (3000) from Custom → <code>weather-backend-alb-sg</code> </li> <li>SSH (22) from My IP (optional for debugging)</li> </ul> <p><strong>Outbound Rules:</strong> All traffic (default)</p> <h3> Traffic Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet → Frontend ALB (80,443) → Frontend EC2 (80) → Backend ALB (80) → Backend EC2 (3000) </code></pre> </div> <p><br> .</p> <h2> Step 3: IAM Role for EC2 Instances. </h2> <h3> Note for AWS Academy/Lab Users </h3> <p>If you're using <strong>AWS Academy Labs</strong> or <strong>AWS Learner Lab</strong>, you cannot create custom IAM roles. Instead, use the pre-configured role provided:</p> <p><strong>Role name:</strong> <code>LabRole</code></p> <p>This role already has the necessary permissions for ECR, Parameter Store, and other AWS services.</p> <p>When creating EC2 instances or Launch Templates, select <strong>LabRole</strong> as the IAM instance profile.</p> <h3> For Regular AWS Accounts </h3> <p>If you're using a personal/company AWS account (not AWS Labs), follow these steps to create a custom IAM role:</p> <p><strong>Navigate:</strong> IAM → Roles → Create role</p> <p><strong>Step 1: Select Trusted Entity</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Trusted entity type: AWS service Use case: EC2 </code></pre> </div> <p>Click <strong>Next</strong></p> <p><strong>Add Permissions</strong></p> <p>Search and select these 2 managed policies:</p> <ol> <li><strong>AmazonEC2ContainerRegistryReadOnly</strong></li> <li><strong>AmazonSSMManagedInstanceCore</strong></li> </ol> <p>Click <strong>Next</strong></p> <p><strong>Name and Create</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Role name: weather-ec2-role Description: IAM role for Weather App EC2 instances </code></pre> </div> <p>Click <strong>Create role</strong></p> <p><strong>Add Parameter Store Policy</strong></p> <ol> <li>Click on <strong>weather-ec2-role</strong> → <strong>Permissions</strong> tab</li> <li>Click <strong>Add permissions</strong> → <strong>Create inline policy</strong> → <strong>JSON</strong> tab </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ssm:GetParameter"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ssm:GetParameters"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:ssm:*:*:parameter/weather-app/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Policy name: <code>ParameterStoreReadPolicy</code> </li> <li>Click **Create </li> </ol> <h2> Step 4: Creating ECR Repositories </h2> <h3> What is Amazon ECR? </h3> <p>Amazon Elastic Container Registry (ECR) is a Docker container registry where we'll store our frontend and backend Docker images. EC2 instances will pull images from here during deployment.</p> <h3> Create ECR Repositories </h3> <p><strong>Navigate:</strong> Amazon ECR → Repositories → Create repository</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fby9e5dymlkrz11uqxudn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fby9e5dymlkrz11uqxudn.png" alt=" " width="800" height="437"></a></p> <h3> Repository 1: Frontend </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Repository name: weather-frontend Image tag mutability: Mutable Encryption: AES-256 (default) Scan on push: Enable (optional) </code></pre> </div> <p>Click <strong>Create repository</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0cxu70pwk84ernnvkyff.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0cxu70pwk84ernnvkyff.png" alt=" " width="800" height="437"></a></p> <h3> Repository 2: Backend </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Repository name: weather-backend Image tag mutability: Mutable Encryption: AES-256 (default) Scan on push: Enable (optional) </code></pre> </div> <p>Click <strong>Create repository</strong></p> <h3> Note Your Repository URIs </h3> <p>After creation, note down both repository URIs (format: <code>account-id.dkr.ecr.region.amazonaws.com/repository-name</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Frontend URI: 339712997278.dkr.ecr.us-east-1.amazonaws.com/weather-frontend Backend URI: 339712997278.dkr.ecr.us-east-1.amazonaws.com/weather-backend </code></pre> </div> <p>You'll need these URIs to push Docker images and configure EC2 instances.</p> <h2> Step 5: Build and Push Docker Images to ECR </h2> <h3> Prerequisites </h3> <p>Ensure you have installed:</p> <ul> <li>AWS CLI (latest version)</li> <li>Docker</li> </ul> <h3> Build Docker Images </h3> <p><strong>Important:</strong> Build images compatible with EC2 architecture (Linux AMD64/ARM64).</p> <p>Navigate to your project directory and build both images:</p> <p><strong>Build Backend:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker buildx build <span class="nt">--platform</span> linux/amd64,linux/arm64 <span class="nt">-t</span> weather-backend <span class="nt">--load</span> ./backend </code></pre> </div> <p><strong>Build Frontend:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker buildx build <span class="nt">--platform</span> linux/amd64,linux/arm64 <span class="nt">-t</span> weather-frontend <span class="nt">--load</span> ./frontend </code></pre> </div> <p><strong>Why <code>--platform</code> flag?</strong><br><br> EC2 instances run Linux. This ensures your Docker images are compatible with EC2's operating system and CPU architecture.</p> <h3> Push Images to ECR </h3> <p>AWS provides ready-to-use push commands for each repository.</p> <p><strong>To view push commands:</strong> ECR → Repositories → Select repository → Click <strong>"View push commands"</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbyxaiu3w23s8t7ydvtl3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbyxaiu3w23s8t7ydvtl3.png" alt=" " width="800" height="642"></a></p> <p><strong>Authenticate Docker to ECR</strong></p> <p>Replace <code>us-east-1</code> with your region and <code>339712997278</code> with your AWS account ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr get-login-password <span class="nt">--region</span> us-east-1 | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> 339712997278.dkr.ecr.us-east-1.amazonaws.com </code></pre> </div> <p><strong>Tag Frontend Image</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker tag weather-frontend:latest 339712997278.dkr.ecr.us-east-1.amazonaws.com/weather-frontend:latest </code></pre> </div> <p><strong>Push Frontend Image</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker push 339712997278.dkr.ecr.us-east-1.amazonaws.com/weather-frontend:latest </code></pre> </div> <p><strong>Tag Backend Image</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker tag weather-backend:latest 339712997278.dkr.ecr.us-east-1.amazonaws.com/weather-backend:latest </code></pre> </div> <p><strong>Push Backend Image</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker push 339712997278.dkr.ecr.us-east-1.amazonaws.com/weather-backend:latest </code></pre> </div> <h3> Verify Images in ECR </h3> <p>Go to <strong>Amazon ECR → Repositories</strong></p> <p>Check both repositories:</p> <ul> <li> <code>weather-frontend</code> - Should show <code>latest</code> tag</li> <li> <code>weather-backend</code> - Should show <code>latest</code> tag</li> </ul> <p>—</p> <h2> Step 6: Creating Target Groups </h2> <h3> What are Target Groups? </h3> <p>Target Groups are used by Application Load Balancers to route traffic to registered EC2 instances. They also perform health checks to ensure traffic only goes to healthy instances.</p> <p>We'll create 2 target groups - one for frontend and one for backend.</p> <h3> Target Group 1: Backend Target Group </h3> <p><strong>Navigate:</strong> EC2 → Target Groups → Create target group</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2uq5pjco3m347mpg5iup.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2uq5pjco3m347mpg5iup.png" alt=" " width="800" height="437"></a></p> <p><strong>Step 1: Basic Configuration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Target type: Instances Target group name: weather-backend-tg Protocol: HTTP Port: 3000 VPC: weather-app-vpc Protocol version: HTTP1 </code></pre> </div> <p><strong>Step 2: Health Checks</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Health check protocol: HTTP Health check path: /health </code></pre> </div> <p><strong>Advanced health check settings:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Healthy threshold: 2 Unhealthy threshold: 3 Timeout: 5 seconds Interval: 30 seconds Success codes: 200 </code></pre> </div> <p><strong>Step 3: Register Targets</strong></p> <p>Skip this step - instances will be added automatically by Auto Scaling Group.</p> <p>Click <strong>Create target group</strong></p> <h3> Target Group 2: Frontend Target Group </h3> <p><strong>Step 1: Basic Configuration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Target type: Instances Target group name: weather-frontend-tg Protocol: HTTP Port: 80 VPC: weather-app-vpc Protocol version: HTTP1 </code></pre> </div> <p><strong>Step 2: Health Checks</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Health check protocol: HTTP Health check path: /health </code></pre> </div> <p><strong>Advanced health check settings:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Healthy threshold: 2 Unhealthy threshold: 3 Timeout: 5 seconds Interval: 30 seconds Success codes: 200 </code></pre> </div> <p><strong>Step 3: Register Targets</strong></p> <p>Skip this step - instances will be added automatically by Auto Scaling Group.</p> <p>Click <strong>Create target group</strong></p> <h2> Step 7: Creating Application Load Balancers </h2> <h3> What is an Application Load Balancer? </h3> <p>An Application Load Balancer (ALB) distributes incoming traffic across multiple EC2 instances. We'll create two ALBs:</p> <ul> <li> <strong>Frontend ALB</strong> (Internet-facing) - Receives traffic from users</li> <li> <strong>Backend ALB</strong> (Internal) - Receives traffic from frontend instances</li> </ul> <h3> ALB 1: Backend Application Load Balancer </h3> <p><strong>Navigate:</strong> EC2 → Load Balancers → Create load balancer → Application Load Balancer</p> <p><strong>Basic Configuration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Load balancer name: weather-backend-alb Scheme: Internal IP address type: IPv4 </code></pre> </div> <p><strong>Network Mapping</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC: weather-app-vpc Availability Zones: Select both ☑ us-east-1a → Select private subnet ☑ us-east-1b → Select private subnet </code></pre> </div> <p><strong>Security Groups</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Remove: default Add: weather-backend-alb-sg </code></pre> </div> <p><strong>Listeners and Routing</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Protocol: HTTP Port: 80 Default action: Forward to weather-backend-tg </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftpeqxgb0ttw2p32748xj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftpeqxgb0ttw2p32748xj.png" alt=" " width="800" height="252"></a></p> <p>Click <strong>Create load balancer</strong></p> <p>Wait 2-3 minutes for the ALB to become active.</p> <p><strong>Important:</strong> Copy the Backend ALB DNS name - you'll need it later!</p> <h3> ALB 2: Frontend Application Load Balancer </h3> <p><strong>Basic Configuration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Load balancer name: weather-frontend-alb Scheme: Internet-facing IP address type: IPv4 </code></pre> </div> <p><strong>Network Mapping</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC: weather-app-vpc Availability Zones: Select both ☑ us-east-1a → Select public subnet ☑ us-east-1b → Select public subnet </code></pre> </div> <p><strong>Security Groups</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Remove: default Add: weather-frontend-alb-sg </code></pre> </div> <p><strong>Listeners and Routing</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Protocol: HTTP Port: 80 Default action: Forward to weather-frontend-tg </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9fegqng71s8lwf2qzoqd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9fegqng71s8lwf2qzoqd.png" alt=" " width="800" height="314"></a></p> <p>Click <strong>Create load balancer</strong></p> <p>Wait 2-3 minutes for the ALB to become active.</p> <h3> Verify Load Balancers </h3> <p>Go to <strong>EC2 → Load Balancers</strong></p> <p>Check both ALBs show <strong>State: Active</strong></p> <p><strong>Note down both DNS names:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Frontend ALB DNS: weather-frontend-alb-xxxxx.us-east-1.elb.amazonaws.com Backend ALB DNS: weather-backend-alb-xxxxx.us-east-1.elb.amazonaws.com </code></pre> </div> <h2> Step 8: Configure AWS Systems Manager Parameter Store </h2> <h3> What is Parameter Store? </h3> <p>Parameter Store allows you to store configuration data and secrets centrally. EC2 instances will fetch these values at runtime, eliminating hardcoded configuration.</p> <h3> Create Parameters </h3> <p><strong>Navigate:</strong> AWS Systems Manager → Parameter Store → Create parameter. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq1dhqvcn467g712hkzfj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq1dhqvcn467g712hkzfj.png" alt=" " width="800" height="400"></a></p> <p>Create the following parameters:</p> <p><strong>Parameter 1: AWS Region</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: /weather-app/aws-region Type: String Value: us-east-1 (or your region) </code></pre> </div> <p><strong>Parameter 2: Backend ALB Host (used by frontend to call an api)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: /weather-app/backend-host Type: String Value: &lt;Your Backend ALB DNS without http://&gt; Example: internal-weather-backend-alb-xxxxx.us-east-1.elb.amazonaws.com </code></pre> </div> <p><strong>Parameter 3: Backend ALB Port (used by frontend to call an api)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: /weather-app/backend-port Type: String Value: 80 </code></pre> </div> <p><strong>Parameter 4: Frontend ECR Registry</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: /weather-app/ecr-registry-frontend Type: String Value: &lt;Your account ID&gt;.dkr.ecr.us-east-1.amazonaws.com/weather-frontend Example: 339712997278.dkr.ecr.us-east-1.amazonaws.com/weather-frontend </code></pre> </div> <p><strong>Parameter 5: Backend ECR Registry</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: /weather-app/ecr-registry-backend Type: String Value: &lt;Your account ID&gt;.dkr.ecr.us-east-1.amazonaws.com/weather-backend Example: 339712997278.dkr.ecr.us-east-1.amazonaws.com/weather-backend </code></pre> </div> <p><strong>Parameter 6: OpenWeather API Key</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: /weather-app/openweather-api-key Type: String (or SecureString for encryption) Value: &lt;Your OpenWeatherMap API key&gt; </code></pre> </div> <p>Get your free API key from: <a href="https://openweathermap.org/api" rel="noopener noreferrer">https://openweathermap.org/api</a></p> <h3> Verify Parameters </h3> <p>All 6 parameters should now be visible in Parameter Store with the prefix <code>/weather-app/</code></p> <p>—</p> <h2> Step 9: Create Launch Templates </h2> <h3> What is a Launch Template? </h3> <p>A Launch Template defines the configuration for EC2 instances that will be launched by Auto Scaling Groups. We'll create two templates - one for backend and one for frontend.</p> <h3> Launch Template 1: Backend Launch Template </h3> <p><strong>Navigate:</strong> EC2 → Launch Templates → Create launch template</p> <p><strong>Launch Template Name and Description</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Launch template name: weather-backend-lt Template version description: Backend instances for weather app </code></pre> </div> <p><strong>Application and OS Images (AMI)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Quick Start: Ubuntu Ubuntu Server 24.04 LTS (HVM), SSD Volume Type Architecture: 64-bit (x86) </code></pre> </div> <p><strong>Instance Type</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Instance type: t3.micro (or t2.micro for free tier) </code></pre> </div> <p><strong>Key Pair</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Key pair name: Select your existing key pair </code></pre> </div> <p><strong>Network Settings</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Subnet: Don't include in launch template Firewall (security groups): weather-backend-sg </code></pre> </div> <p><strong>Storage</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Keep default: 8 GiB, gp3 </code></pre> </div> <p><strong>Advanced Details</strong></p> <p><strong>IAM instance profile:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LabRole (for AWS Academy users) OR weather-ec2-role (for regular AWS accounts) </code></pre> </div> <p><strong>Metadata accessible:</strong> Enabled</p> <p><strong>User data:</strong></p> <p>Copy the backend user data script from the repository:</p> <p><strong><a href="https://github.com/Shreyas-Yadav/weather-aws/blob/main/backend-deployment.sh" rel="noopener noreferrer">Backend User Data Script →</a></strong></p> <p>This script:</p> <ul> <li>Installs Docker and AWS CLI</li> <li>Fetches configuration from Parameter Store</li> <li>Pulls Docker image from ECR</li> <li>Starts the backend container</li> </ul> <p>Click <strong>Create launch template</strong></p> <h3> Launch Template 2: Frontend Launch Template </h3> <p>Follow the same steps with these differences:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Launch template name: weather-frontend-lt Template version description: Frontend instances for weather app Security group: weather-frontend-sg </code></pre> </div> <p><strong>User data:</strong></p> <p>Copy the frontend user data script from the repository:</p> <p><strong><a href="https://github.com/Shreyas-Yadav/weather-aws/blob/main/frontend-deployment.sh" rel="noopener noreferrer">Frontend User Data Script →</a></strong></p> <p>This script:</p> <ul> <li>Installs Docker and AWS CLI</li> <li>Fetches backend ALB DNS from Parameter Store</li> <li>Pulls Docker image from ECR</li> <li>Starts the frontend container with backend configuration</li> </ul> <p>Click <strong>Create launch template</strong></p> <h2> Step 10: Create Auto Scaling Groups </h2> <h3> What is an Auto Scaling Group? </h3> <p>An Auto Scaling Group (ASG) automatically manages EC2 instances - launching new instances when traffic increases and terminating them when traffic decreases. We'll create two ASGs - one for backend and one for frontend. </p> <p><strong>Note</strong> Create ASG first for backend and then create for frontend.</p> <h3> Auto Scaling Group 1: Backend ASG </h3> <p><strong>Navigate:</strong> EC2 → Auto Scaling Groups → Create Auto Scaling group</p> <p><strong>Step 1: Choose Launch Template</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Auto Scaling group name: weather-backend-asg Launch template: weather-backend-lt Version: Default (1) </code></pre> </div> <p>Click <strong>Next</strong></p> <p><strong>Step 2: Choose Instance Launch Options</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC: weather-app-vpc Availability Zones and subnets: ☑ weather-app-subnet-private1-us-east-1a ☑ weather-app-subnet-private2-us-east-1b </code></pre> </div> <p>Click <strong>Next</strong></p> <p><strong>Step 3: Configure Advanced Options</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Load balancing: ☑ Attach to an existing load balancer Choose from your load balancer target groups: ☑ weather-backend-tg Health checks: ☑ Turn on Elastic Load Balancing health checks Health check grace period: 300 seconds </code></pre> </div> <p>Click <strong>Next</strong></p> <p><strong>Step 4: Configure Group Size and Scaling</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Group size: Desired capacity: 2 Minimum capacity: 2 Maximum capacity: 4 Scaling: ☑ Target tracking scaling policy Scaling policy name: backend-cpu-scaling Metric type: Average CPU utilization Target value: 70 Instance warmup: 300 seconds </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6jwckwpwn6qguxasn90b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6jwckwpwn6qguxasn90b.png" alt=" " width="800" height="235"></a></p> <p>Click <strong>Next</strong> → <strong>Next</strong> → <strong>Create Auto Scaling group</strong></p> <p>Wait 5-10 minutes for instances to launch and become healthy.</p> <h3> Auto Scaling Group 2: Frontend ASG </h3> <p>Follow the same steps with these differences:</p> <p><strong>Step 1: Choose Launch Template</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Auto Scaling group name: weather-frontend-asg Launch template: weather-frontend-lt </code></pre> </div> <p><strong>Step 2: Network</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Availability Zones and subnets: ☑ weather-app-subnet-public1-us-east-1a ☑ weather-app-subnet-public2-us-east-1b </code></pre> </div> <p><strong>Step 3: Load Balancing</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Target group: weather-frontend-tg </code></pre> </div> <p><strong>Step 4: Group Size and Scaling</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Desired capacity: 2 Minimum capacity: 2 Maximum capacity: 4 Scaling policy name: frontend-cpu-scaling Metric type: Average CPU utilization Target value: 70 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frrwrmvrenj946vl2gkn3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frrwrmvrenj946vl2gkn3.png" alt=" " width="800" height="284"></a></p> <p>Click <strong>Create Auto Scaling group</strong></p> <p>Wait 5-10 minutes for instances to launch and become healthy.</p> <h3> Verify Auto Scaling Groups </h3> <p><strong>Check Instances:</strong></p> <ol> <li>Go to <strong>EC2 → Instances</strong> </li> <li>You should see 4 running instances: <ul> <li>2 backend instances (in private subnets)</li> <li>2 frontend instances (in public subnets)</li> </ul> </li> </ol> <p><strong>Check Target Health:</strong></p> <ol> <li>Go to <strong>EC2 → Target Groups</strong> </li> <li>Select <strong>weather-backend-tg</strong> → Targets tab <ul> <li>Both targets should show <strong>Healthy</strong> </li> </ul> </li> <li>Select <strong>weather-frontend-tg</strong> → Targets tab <ul> <li>Both targets should show <strong>Healthy</strong> </li> </ul> </li> </ol> <p>—--</p> <h2> Step 11: Testing Your Application </h2> <h3> Test Application via Frontend ALB </h3> <p><strong>Get Frontend ALB DNS:</strong></p> <ol> <li>Go to <strong>EC2 → Load Balancers</strong> </li> <li>Select <strong>weather-frontend-alb</strong> </li> <li>Copy the <strong>DNS name</strong> </li> </ol> <p>Example: <code>weather-frontend-alb-841040545.us-east-1.elb.amazonaws.com</code></p> <p><strong>Test in Browser:</strong></p> <p>Open your browser and navigate to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://weather-frontend-alb-XXXXXXX.us-east-1.elb.amazonaws.com </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fylnpqyw7yqvgkco8navu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fylnpqyw7yqvgkco8navu.png" alt=" " width="800" height="440"></a></p> <p>You should see:</p> <ul> <li>Weather Application interface</li> <li>Search box to enter city name</li> <li>Real-time weather data when you search</li> </ul> <p><strong>Test the Complete Flow:</strong></p> <ol> <li>Enter a city name (e.g., "Mumbai", "London", "New York")</li> <li>Click <strong>Search</strong> </li> <li>Weather information should display: <ul> <li>Current temperature</li> <li>Weather condition (Haze, Clear, etc.)</li> <li>Feels like temperature</li> <li>Humidity</li> <li>Wind speed</li> <li>Pressure</li> </ul> </li> </ol> <p><strong>Common Issues:</strong></p> <p>If the application doesn't work:</p> <ol> <li> <p><strong>Check Target Health:</strong></p> <ul> <li>EC2 → Target Groups → Check both target groups show "Healthy"</li> </ul> </li> <li> <p><strong>Check Instance Logs:</strong></p> <ul> <li>Connect to instances via Session Manager</li> <li>View logs: <code>sudo docker logs weather-frontend</code> or <code>sudo docker logs weather-backend</code> </li> </ul> </li> <li> <p><strong>Check Security Groups:</strong></p> <ul> <li>Verify all security group rules are correct</li> <li>Frontend ALB should allow 80 from internet</li> <li>Backend ALB should allow 80 from frontend SG</li> </ul> </li> </ol> <p>—--</p> <h2> Step 12: Add Custom Domain and Enable HTTPS </h2> <h3> Prerequisites </h3> <p>You need a registered domain name from any registrar (Namecheap, GoDaddy, etc.)</p> <h3> Part A: Create Hosted Zone in Route 53 </h3> <p><strong>Navigate:</strong> Route 53 → Hosted zones → Create hosted zone</p> <p><strong>Configuration:</strong></p> <p>Domain name: shri.software<br> Type: Public hosted zone</p> <p>Click <strong>Create hosted zone</strong></p> <p><strong>Update Nameservers at Your Domain Registrar:</strong></p> <ol> <li>Copy the 4 NS (nameserver) records from Route 53</li> <li>Go to your domain registrar (Namecheap, GoDaddy, etc.)</li> <li>Replace existing nameservers with the 4 AWS nameservers</li> <li>Save changes</li> </ol> <p><strong>Wait 15-30 minutes for DNS propagation</strong></p> <h3> Part B: Request SSL/TLS Certificate </h3> <p><strong>Navigate:</strong> AWS Certificate Manager (ACM) → Request certificate<br> <strong>Step 1: Request Certificate</strong><br> Certificate type: Request a public certificate<br> Click <strong>Next</strong></p> <p><strong>Step 2: Domain Names</strong><br> Fully qualified domain name: shri.software<br> Add another name: *.shri.software (optional, for subdomains)</p> <p><strong>Step 3: Validation Method</strong><br> Validation method: DNS validation - recommended</p> <p><strong>Step 4: Key Algorithm</strong><br> RSA 2048 (default)<br> Click <strong>Request</strong></p> <h3> Part C: Validate Certificate </h3> <p>After requesting the certificate, ACM will show validation details.<br> <strong>Click "Create records in Route”</strong></p> <p>This automatically adds the required CNAME validation records to your hosted zone.<br> Wait 5-10 minutes for validation to complete.<br> <strong>Certificate Status:</strong> Will change from "Pending validation" to "Issued"</p> <h3> Part D: Create A Record for Your Domain </h3> <p><strong>Navigate:</strong> Route 53 → Hosted zones → shri.software</p> <p><strong>Create A Record:</strong><br> Record name: (leave empty for root domain)<br> Record type: A - Alias<br> Route traffic to: Alias to Application Load Balancer<br> Region: us-east-1<br> Load balancer: weather-frontend-alb</p> <p>Click <strong>Create records</strong></p> <h3> Part E: Add HTTPS Listener to Frontend ALB </h3> <p><strong>Navigate:</strong> EC2 → Load Balancers → weather-frontend-alb<br> <strong>Add HTTPS Listener:</strong></p> <ol> <li>Click <strong>Listeners</strong> tab</li> <li>Click <strong>Add listener</strong> </li> </ol> <p>Protocol: HTTPS<br> Port: 443<br> Default action: Forward to weather-frontend-tg<br> Default SSL/TLS certificate: From ACM → Select your certificate (shri.software)</p> <p>Click <strong>Add</strong></p> <h3> Part F: Redirect HTTP to HTTPS </h3> <p><strong>Edit HTTP:80 Listener:</strong></p> <ol> <li>Select <strong>HTTP:80</strong> listener</li> <li>Click <strong>Actions</strong> → <strong>Edit listener</strong> </li> <li>Remove existing forward action</li> <li>Add action → <strong>Redirect to...</strong> </li> </ol> <p>Protocol: HTTPS<br> Port: 443<br> Status code: 301 - Permanently moved</p> <p>Click <strong>Save changes</strong></p> <h3> Verify Your Setup </h3> <p><strong>Test in Browser:</strong></p> <p>Open: <a href="https://your_domain_name" rel="noopener noreferrer">https://your_domain_name</a></p> <p>You should see:<br> ✅ Padlock icon (secure connection)<br> ✅ Weather application loads<br> ✅ HTTP automatically redirects to HTTPS</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6uheosccn406oxmnp1r2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6uheosccn406oxmnp1r2.png" alt=" " width="800" height="781"></a></p> <p><strong>Congratulations!</strong> Your application is live.</p> <h2> Step 13: Cleanup and Delete Resources </h2> <p>It is essential to delete all resources created in this guide to avoid incurring unnecessary charges on your AWS account.</p> <h3> Cleanup Order </h3> <ol> <li><p><strong>Auto Scaling Groups (ASGs):</strong><br> Delete <code>weather-frontend-asg</code> and <code>weather-backend-asg</code>. (This action automatically terminates all running EC2 instances.)</p></li> <li><p><strong>Application Load Balancers (ALBs):</strong><br> Delete <code>weather-frontend-alb</code> and <code>weather-backend-alb</code>.</p></li> <li><p><strong>Target Groups:</strong><br> Delete <code>weather-frontend-tg</code> and <code>weather-backend-tg</code>.</p></li> <li><p><strong>Launch Templates:</strong><br> Delete <code>weather-frontend-lt</code> and <code>weather-backend-lt</code>.</p></li> <li><p><strong>ECR Repositories:</strong><br> Delete <code>weather-frontend</code> and <code>weather-backend</code>. (This deletes the stored Docker images.)</p></li> <li><p><strong>Route 53 &amp; AWS Certificate Manager (ACM):</strong><br> Delete the <strong>A Record</strong> pointing to the ALB.<br> Delete the <strong>ACM Certificate</strong>.<br> Delete the <strong>Hosted Zone</strong> in Route 53.</p></li> <li><p><strong>IAM Role &amp; Security Groups:</strong><br> Delete the <strong>IAM Role</strong> (<code>weather-ec2-role</code>).<br> Delete the <strong>4 Security Groups</strong> (<code>weather-frontend-alb-sg</code>, <code>weather-frontend-sg</code>, etc.).</p></li> <li><p><strong>Systems Manager Parameters:</strong><br> Delete all <strong>Parameters</strong> under the <code>/weather-app/</code> path.</p></li> <li><p><strong>VPC:</strong><br> Delete the <strong>VPC</strong> (<code>weather-app-vpc</code>). (This final step cleans up Subnets, Internet Gateway, and NAT Gateways.) </p></li> </ol> <h2> Conclusion and Thank You..! </h2> <p>Congratulations! You have successfully deployed a highly available, secure, and production-ready weather application on AWS using enterprise-grade architecture.</p> <p>By completing this guide, you’ve mastered key AWS services including VPC, Auto Scaling Groups, Application Load Balancers, ECR, Route 53, and ACM. This foundational knowledge is crucial for deploying any modern, scalable web application.</p> <p>Thank you for following along, and I hope this guide helps you on your cloud journey!</p> cloud aws devops architecture