I'm always excited to take on new projects and collaborate with innovative minds.

Phone

+92 304 029 2730

Email

info@mbilalnaeem.com

Website

https://mbilalnaeem.com

Address

Faisalabad, Pakistan

Social Links

Project

Automated AWS DevOps Pipeline

A 'push-to-deploy' solution for a Laravel & Vue.js application using a fully automated AWS DevOps pipeline. This architecture ensures high availability via Elastic Beanstalk load balancing and robust security through private networking, a bastion host for database access, and centralized secret management via AWS Secrets Manager.

Client

Tech Company

Start Date

Apr 20, 2023

Website

Visit Website
Automated AWS DevOps Pipeline

1. Project Overview

This project implements an enterprise-grade, secure, and fully automated CI/CD pipeline. The primary goal is to create a "zero-touch" deployment environment where a developer pushing code to a GitHub repository automatically triggers a secure build, test, and deployment process on AWS.

The architecture is designed with a "security-first" mindset, isolating all critical components (application servers, database) in private subnets. The only public entry point is the Application Load Balancer, managed by Route 53. This setup provides a robust, scalable, and maintainable platform for a modern Laravel (backend) and Vue.js (frontend) application.

 

2. Key Features

 

  • Fully Automated CI/CD: Code pushed to the main branch is automatically built, tested, and deployed to production with no manual intervention.
  • High Availability & Scalability: AWS Elastic Beanstalk, coupled with an Application Load Balancer (ALB), automatically manages EC2 instance scaling based on traffic load, ensuring the application is always responsive.
  • Robust Security: The entire application and database run in private VPC subnets, inaccessible from the public internet. A Bastion Host provides the only secure, controlled access for database maintenance.
  • Centralized Secret Management: No hardcoded credentials. All environment variables (database passwords, API keys) are securely stored in AWS Secrets Manager and injected into the Elastic Beanstalk environment at runtime.
  • Optimized Performance: Static assets (CSS, JS, images) built from Vue.js are stored in an S3 bucket and distributed globally via a CDN (AWS CloudFront) for low-latency delivery.

 

3. Automated Deployment Workflow

This pipeline is a hybrid model using GitHub Actions for the frontend build and AWS CodePipeline for the backend deployment.

  1. Push to GitHub: A developer pushes a commit to the main branch.
  2. GitHub Actions (Frontend):
    • Triggers a workflow on push.
    • Checks out the code.
    • Installs Node.js dependencies (npm install).
    • Builds the production-ready Vue.js assets (npm run build).
    • Syncs the compiled assets from the /public directory to the S3 Bucket configured for static asset hosting.
    • Invalidates the CDN (CloudFront) cache to ensure users receive the new assets.
  3. AWS CodePipeline (Backend):
    • The same GitHub push (or a separate webhook) triggers the AWS CodePipeline.
    • Source Stage: CodePipeline pulls the latest source code from the GitHub repository.
    • Build Stage (AWS CodeBuild):
      • Spins up a clean build environment.
      • Fetches secrets (like a private composer key, if needed) from AWS Secrets Manager.
      • Runs composer install --no-dev --optimize-autoloader to install Laravel dependencies.
      • Packages the application (including Laravel files, excluding the already-deployed Vue assets) into a deployment artifact.
    • Deploy Stage (AWS CodeDeploy):
      • CodeDeploy hands the new application version to Elastic Beanstalk.
      • Elastic Beanstalk performs an immutable or rolling deployment, launching new EC2 instances with the updated code.
      • Once new instances are healthy, the Load Balancer shifts traffic to them, and the old instances are terminated.

 

4. Security & Network Architecture

Security is the cornerstone of this design, ensuring strict internal coupling.

  • Public Zone:
    • Route 53: Manages the domain (e.g., app.yourdomain.com) and routes all traffic only to the Application Load Balancer.
    • Application Load Balancer (ALB): The only component in a public subnet. It handles SSL termination and distributes requests to the application servers.
    • Bastion Host: A single, hardened EC2 instance in a public subnet. Its Security Group only allows SSH access (Port 22) from a specific IP (e.g., an office IP). This is the only way for an administrator to access the private network.
  • Private Zone (Internal Coupling):
    • Elastic Beanstalk (EC2 Instances): The Laravel application servers run in a private subnet. Their Security Group only accepts traffic from the ALB (on Port 80/443). They have no direct internet access.
    • MySQL Database (RDS): The database lives in a separate, isolated database subnet. Its Security Group only accepts traffic from the EC2 instances (on Port 3306). It is completely inaccessible from the bastion host or the internet directly.
    • Secrets Manager: The Elastic Beanstalk instances have an IAM Role that grants them permission to read only their specific secrets from Secrets Manager at boot time.

 

5. Technology Stack

  • Application: Laravel (PHP), Vue.js
  • CI/CD: GitHub Actions (Frontend Build), AWS CodePipeline (Backend Orchestration), AWS CodeBuild, AWS CodeDeploy
  • Compute & Hosting: AWS Elastic Beanstalk
  • Networking: AWS VPC (Public/Private Subnets), Application Load Balancer (ALB), AWS Route 53
  • Database: AWS RDS for MySQL
  • Storage & CDN: AWS S3, AWS CloudFront (CDN)
  • Security: AWS Secrets Manager, IAM Roles, Security Groups, AWS Certificate Manager (for SSL)
  • Secure Access: Bastion Host (EC2)
Share

Leave a comment

Your email address will not be published. Required fields are marked *

Your experience on this site will be improved by allowing cookies. Cookie Policy

These cookies are essential for the website to function properly.

These cookies help us understand how visitors interact with the website.

These cookies are used to deliver personalized advertisements.