This project focused on building and securing a three-tier AWS network architecture using an Application Load Balancer (ALB), a Bastion Host, and a private EC2 web instance. The environment was configured with public and private subnet separation, restricted security group rules, and controlled administrative access. During the lab, I also worked through IAM, SSH, and AWS Systems Manager (SSM) recovery issues before restoring secure end-to-end connectivity and validating the final architecture.
- Public Subnet
- Application Load Balancer (ALB)
- Bastion Host
- Private Subnet
- Web Instance (
private-web)
- Web Instance (
- Routing
- Public route table connected to an Internet Gateway
- Private route table limited to local routing only
- Access Control
- Bastion Host allows SSH from my IP only
- ALB allows HTTP from the internet on port 80
- Private web instance allows:
- HTTP from the ALB security group
- SSH from the Bastion Host security group
- Administration
- Used AWS Systems Manager Session Manager for secure management access
- Injected a temporary SSH key through the AWS CLI when instance access needed to be recovered
Three-tier AWS network with an ALB, Bastion Host, private EC2 instance, and SSM-based administration.
This lab involved several recovery and troubleshooting steps before the architecture worked as intended:
- Initial SSH attempts from the Bastion Host to the private instance failed with
Permission denied (publickey) - The IAM role attached for SSM access was missing
AmazonSSMManagedInstanceCore, causingsend-commandoperations to fail - The private instance became stuck in a
stoppingstate and had to be force-stopped before recovery - After attaching the correct IAM policy, I used
aws ssm send-commandto inject a temporary key into/home/ec2-user/.ssh/authorized_keys - File permissions and ownership then had to be corrected using
chmod 600andchown ec2-user:ec2-user - Once permissions, IAM access, and security group rules were corrected, SSH access through the Bastion Host to the private instance worked successfully
One of the key lessons from this lab was understanding that the private instance needed SSH access allowed from the Bastion Host security group, not directly from my public IP.
| # | Description | Screenshot |
|---|---|---|
| 01 | VPC routes showing Internet Gateway access for the public subnet and local-only routing for the private subnet |  |
| 02 | Bastion Host running in the public subnet |  |
| 03 | Bastion Host security group restricted to my IP |  |
| 04 | SSM Session Manager access to the Bastion Host during recovery |  |
| 05 | Private web instance running without a public IP address |  |
| 06 | Private instance security group allowing SSH from Bastion SG and HTTP from ALB SG |  |
| 07 | Successful SSH chain from Bastion Host to private instance |  |
| 08 | ALB active with listener configured on port 80 |  |
| 09 | ALB security group allowing inbound HTTP from the internet |  |
| 10 | Target group showing a healthy registered instance |  |
| 11 | HTTP 200 response confirmed through the ALB DNS endpoint |  |
| Test | Command / Evidence | Result |
|---|---|---|
| ALB Connectivity | curl -I http://sp4-alb-454520712.ap-southeast-2.elb.amazonaws.com |
HTTP 200 OK |
| Bastion Access | AWS Systems Manager Session Manager login | Connected securely |
| Private Isolation | No public IP and security group restricted to ALB and Bastion access only | Verified |
| Target Health | ALB target group health check | Verified |
| Routing | Public subnet via Internet Gateway and private subnet limited to local routing | Verified |
This was one of the most challenging AWS labs I have completed so far because of the number of connected components and the way small configuration mistakes could break the entire access chain. It gave me practical experience with layered AWS security controls, IAM troubleshooting, Session Manager recovery, and secure administrative access design.
Working through the recovery process also reinforced the importance of validating security group relationships carefully, especially when controlling traffic between instances and services inside a VPC.
- Add HTTPS using ACM certificates
- Enable CloudWatch monitoring and logging
- Attach AWS WAF for additional application-layer protection
- Rebuild the architecture using Terraform
- Extend the design with KMS encryption and least-privilege IAM hardening
Successfully built and validated a three-tier AWS network architecture that uses an Application Load Balancer for public traffic, a Bastion Host for controlled administration, and a private EC2 instance for internal application hosting. The project also included real troubleshooting and recovery work involving IAM, SSM, SSH permissions, and security group design, making it a practical exercise in secure AWS networking.