Notifies Ops / PagerDuty / Email On alarm & failover
System Events
VPC Flow Logs (Simulated)
CloudWatch Metrics (Fake CPU / Latency / RPS)
Security Group Configuration (ALB, ASG, RDS)
This mirrors a common 3-tier pattern: SG-ALB → SG-ASG → SG-RDS Remember: Security Groups are stateful.
SG-ALB (for Application Load Balancer)
Inbound
Type
Port
Source
HTTP
80
0.0.0.0/0
HTTPS
443
0.0.0.0/0
Outbound
Type
Port
Destination
All Traffic
All
0.0.0.0/0
SG-ASG (for EC2 instances in Auto Scaling Group)
Inbound
Type
Port
Source
HTTP
80
SG-ALB
SSH (Ops only)
22
Ops Bastion / VPN
Outbound
Type
Port
Destination
MySQL/Aurora
3306
SG-RDS
HTTPS
443
0.0.0.0/0 (via NAT)
SG-RDS (for RDS Multi-AZ)
Inbound
Type
Port
Source
MySQL/Aurora
3306
SG-ASG
Outbound
Type
Port
Destination
All Traffic
All
Within RDS (managed)
Security Group Traffic Simulation
This is a simplified teaching simulator: it checks if traffic would be ALLOWED or DENIED based on the SG pattern shown in the previous tab (SG-ALB → SG-ASG → SG-RDS).
SG Teaching Notes
✔ Internet → ALB: HTTP/80 or HTTPS/443 is allowed by SG-ALB ✔ ALB → EC2: HTTP/80 allowed (SG-ASG inbound from SG-ALB) ✔ EC2 → RDS: 3306 allowed (SG-RDS inbound from SG-ASG) ✖ Internet → RDS directly should be DENIED ✖ Internet → EC2 directly (bypassing ALB) should be DENIED (except admin paths via Bastion/VPN)
Network ACL (Subnet-level, Stateless)
Network ACLs (NACLs) sit at the subnet layer and are stateless. Both inbound and outbound rules must allow the traffic. Rules are evaluated in order.
Public Subnets NACL (IGW / ALB)
Inbound Rules
#
Type
Port
Source
Allow/Deny
100
HTTP
80
0.0.0.0/0
ALLOW
110
HTTPS
443
0.0.0.0/0
ALLOW
120
Ephemeral
1024-65535
0.0.0.0/0
ALLOW (responses)
*
All
All
0.0.0.0/0
DENY
Outbound Rules
#
Type
Port
Destination
Allow/Deny
100
HTTP
80
0.0.0.0/0
ALLOW
110
HTTPS
443
0.0.0.0/0
ALLOW
120
Ephemeral
1024-65535
0.0.0.0/0
ALLOW (responses)
*
All
All
0.0.0.0/0
DENY
Private Subnets NACL (EC2, RDS)
Inbound Rules
#
Type
Port
Source
Allow/Deny
100
HTTP
80
Public Subnets CIDR
ALLOW (from ALB)
110
MySQL
3306
Private ASG CIDR
ALLOW (from EC2)
120
Ephemeral
1024-65535
0.0.0.0/0
ALLOW (responses)
*
All
All
0.0.0.0/0
DENY
Outbound Rules
#
Type
Port
Destination
Allow/Deny
100
HTTP/HTTPS
80/443
0.0.0.0/0 (via NAT)
ALLOW
110
MySQL
3306
RDS Subnets CIDR
ALLOW
120
Ephemeral
1024-65535
0.0.0.0/0
ALLOW (responses)
*
All
All
0.0.0.0/0
DENY
NACL Teaching Notes
✔ NACLs are evaluated in order (lowest rule number first). ✔ You must allow traffic on both inbound and outbound sides because NACLs are stateless. ✔ Security Groups are usually your primary filter; NACLs provide an extra coarse-grained subnet layer. ✖ If you accidentally DENY ephemeral ports, return traffic will fail even if SGs allow it.
SysOps Exam Mode — Architecture Questions
Q1. Why is the Internet Gateway (IGW) drawn outside the VPC box?
Q2. What is the main purpose of the NAT Gateway in this design?
Q3. If the ALB health checks fail for all EC2 instances, what happens?
Q4. During an RDS Multi-AZ failover, what changes from the application’s perspective?
Q5. CloudWatch alarms for high CPU on ASG typically trigger which action?
AWS CLI — Create Application Load Balancer
Click the ALB in the diagram or run "CLI: ALB Commands" from Simulation tab to view example commands here.
CloudFormation — ALB Across 2 AZs
AWSTemplateFormatVersion: '2010-09-09'
Description: Application Load Balancer across 2 AZs with Target Group & Listener
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC ID where ALB will be deployed
PublicSubnet1:
Type: AWS::EC2::Subnet::Id
Description: Public Subnet 1 (AZ-a)
PublicSubnet2:
Type: AWS::EC2::Subnet::Id
Description: Public Subnet 2 (AZ-b)
EC2Target1:
Type: String
Description: EC2 instance ID in AZ-a
EC2Target2:
Type: String
Description: EC2 instance ID in AZ-b
Resources:
ALBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ALB Security Group
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: ALB2AZ
Scheme: internet-facing
Type: application
IpAddressType: ipv4
SecurityGroups:
- !Ref ALBSecurityGroup
Subnets:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
Tags:
- Key: Name
Value: ALB-2AZ
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: ALBTargetGroup
Port: 80
Protocol: HTTP
VpcId: !Ref VpcId
HealthCheckPath: /
HealthCheckProtocol: HTTP
TargetType: instance
Targets:
- Id: !Ref EC2Target1
Port: 80
- Id: !Ref EC2Target2
Port: 80
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 80
Protocol: HTTP
DefaultActions:
- Type: forward
TargetGroupArn: !Ref TargetGroup
Outputs:
ALBDNS:
Description: DNS name of the ALB
Value: !GetAtt ApplicationLoadBalancer.DNSName
TargetGroupARN:
Description: ARN of the target group
Value: !Ref TargetGroup