How to set up WordPress with a dedicated Database Server along with NAT Gateway on AWS Cloud?
Project Description:-
- Write an Infrastructure as code using Terraform, which automatically creates a VPC.
- In that VPC we have to create 2 subnets:
- public subnet [ Accessible for Public World! ]
- private subnet [ Restricted for Public World! ]
- Create a public-facing internet gateway for connecting our VPC/Network to the internet world and attach this gateway to our VPC.
- Create a routing table for the Internet gateway so that the instance can connect to the outside world, update and associate it with the public subnet.
- Create a NAT gateway to connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network
- Update the routing table of the private subnet, so that to access the internet it uses the NAT gateway created in the public subnet
- Launch an ec2 instance that has WordPress setup already having the security group allowing port 80 so that our client can connect to our WordPress site. Also, attach the key to the instance for further login into it.
- Launch an ec2 instance that has MYSQL setup already with a security group allowing port 3306 in a private subnet so that our WordPress VM can connect with the same. Also, attach the key with the same.
Note:- WordPress instance has to be part of the public subnet so that our client can connect to our site. MySQL instance has to be part of a private subnet so that the outside world can’t connect to it. Don’t forget to add the auto IP assign and auto DNS name assignment option to be enabled.
What is WordPress?
WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes.
What is Bastion Host?
A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example, a proxy server, and all other services are removed or limited to reduce the threat to the computer.
Let’s get started…
Step 1:- First of all, configure your AWS profile in your local system using cmd. Fill in your details & press Enter. Use the following command for the same:-
aws configureStep 2:- Next, we need to create a VPC. Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.
The terraform code to create a VPC is as follows:-
resource "aws_vpc" "ananya_vpc" {
cidr_block = "192.168.0.0/16"
instance_tenancy = "default"
enable_dns_hostnames = true
tags = {
Name = "ananya_vpc"
}
}Step 3:- Now, we need to create two subnets in this VPC :
a) public subnet [ Accessible for Public World! ]
b) private subnet [ Restricted for Public World! ]
A subnet is “part of the network”, in other words, part of the entire availability zone. Each subnet must reside entirely within one Availability Zone and cannot span zones. The terraform code to create both the private & the public subnet is as follows:-
resource "aws_subnet" "ananya_public_subnet" {
vpc_id = "${aws_vpc.ananya_vpc.id}"
cidr_block = "192.168.0.0/24"
availability_zone = "ap-south-1a"
map_public_ip_on_launch = "true"
tags = {
Name = "ananya_public_subnet"
}
}
resource "aws_subnet" "ananya_private_subnet" {
vpc_id = "${aws_vpc.ananya_vpc.id}"
cidr_block = "192.168.1.0/24"
availability_zone = "ap-south-1a"
tags = {
Name = "ananya_private_subnet"
}
}Step 4:- Next, we create a Public facing Internet Gateway. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
The terraform code to create the Gateway is as follows:-
resource "aws_internet_gateway" "ananya_gw" {
vpc_id = "${aws_vpc.ananya_vpc.id}"
tags = {
Name = "ananya_gw"
}
}Step 5:- Next, we create a Routing Table & associate it with the Public Subnet. A routing table, or routing information base (RIB), is an electronic file or database-type object that is stored in a router or a networked computer, holding the routes (and in some cases, metrics associated with those routes) to particular network destinations. This information contains the topology of the network close to it. The terraform code for the same is as follows:-
resource "aws_route_table" "ananya_rt" {
vpc_id = "${aws_vpc.ananya_vpc.id}"route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.ananya_gw.id}"
}tags = {
Name = "ananya_rt"
}
}resource "aws_route_table_association" "ananya_rta" {
subnet_id = "${aws_subnet.ananya_public_subnet.id}"
route_table_id = "${aws_route_table.ananya_rt.id}"
}Step 6:- Now, we create our security group which will be used while launching WordPress. This security group has the permissions for outside connectivity. A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. Security groups are associated with network interfaces.
resource "aws_security_group" "ananya_sg" {name = "ananya_sg"
vpc_id = "${aws_vpc.ananya_vpc.id}"ingress {
description = "allow_http"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0"]}ingress {
description = "allow_ssh"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "allow_icmp"
from_port = 0
to_port = 0
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "allow_mysql"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {Name = "ananya_sg"
}
}Bastion Host for this security group:-
resource "aws_security_group" "bastion_ssh_only" {
depends_on=[aws_subnet.ananya_public_subnet]
name = "bastion_ssh_only"
description = "It allows bastion ssh inbound traffic"
vpc_id = aws_vpc.ananya_vpc.idingress {
description = "allow bastion with ssh only"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}tags = {
Name = "bastion_ssh_only"
}
}
Step 7:- Now, we create another security group that will be used to launch MySQL. This security group will keep MySQL accessible only through WordPress and not through the outside world.
resource "aws_security_group" "ananya_sg_private" {name = "ananya_sg_private"
vpc_id = "${aws_vpc.ananya_vpc.id}"
ingress {
description = "allow_mysql"
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = [aws_security_group.ananya_sg.id]
}ingress {
description = "allow_icmp"
from_port = -1
to_port = -1
protocol = "icmp"
security_groups = [aws_security_group.ananya_sg.id]
}egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {Name = "ananya_sg_private"
}
}
Bastion Host for this security group:-
resource "aws_security_group" "bastion_host_sql_only" {
depends_on=[aws_subnet.ananya_public_subnet]
name = "bastion_with_ssh_only"
vpc_id = aws_vpc.ananya_vpc.idingress {
description = "bastion host ssh only "
from_port = 22
to_port = 22
protocol = "tcp"
security_groups=[aws_security_group.bastion_ssh_only.id]}egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}tags = {
Name = "bastion_with_ssh_only"
}
}
Step 8:- Next, we create a NAT gateway to connect our VPC/Network to the internet world. NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet
resource "aws_eip" "ananya-ip" {
vpc = true
public_ipv4_pool = "amazon"
}
output "new_output" {
value= aws_eip.ananya-ip
}resource "aws_nat_gateway" "ananya_nat_gw" {
depends_on = [aws_eip.ananya-ip]
allocation_id = aws_eip.ananya-ip.id
subnet_id = aws_subnet.ananya_public_subnet.idtags = {
Name = "ananya_nat_gw"
}
}resource "aws_route_table" "vp_private_subnet_for_rt" {
depends_on = [aws_nat_gateway.ananya_nat_gw]
vpc_id = aws_vpc.ananya_vpc.id
route {
cidr_block = "0.0.0.0/0"gateway_id = aws_nat_gateway.ananya_nat_gw.id
}
tags = {
Name = "vp_private_subnet_for_rt"
}
}resource "aws_route_table_association" "as_private_subnet_for_rt_association" {
depends_on = [aws_route_table.as_private_subnet_for_rt]
subnet_id = aws_subnet.ananya_private_subnet.id
route_table_id = aws_route_table.sp_private_subnet_for_rt.id
}.
Step 9:- Now, we are ready to go. We launch our WordPress and MySQL instances using all the resources that we have created above.
WordPress:-
resource "aws_instance" "wordpress" {
ami = "ami-ff82f990"
instance_type = "t2.micro"
key_name = "ananya_key"
subnet_id = "${aws_subnet.ananya_public_subnet.id}"
security_groups = ["${aws_security_group.ananya_sg.id}"]
associate_public_ip_address = true
availability_zone = "ap-south-1a"
tags = {
Name = "ananya_wordpress"
}
}MySQL:-
resource "aws_instance" "sql" {
ami = "ami-08706cb5f68222d09"
instance_type = "t2.micro"
key_name = "ananya_key"
subnet_id = "${aws_subnet.ananya_private_subnet.id}"
availability_zone = "ap-south-1a"
security_groups = ["${aws_security_group.ananya_sg_private.id}"]
depends_on = [aws_security_group.bastion_host_sql_only,aws_security_group.bastion_ssh_only]
tags = {
Name = "ananya_sql"
}
}Bastion Host:-
resource "aws_instance" "bastion_host" {
depends_on=[aws_security_group.bastion_ssh_only]
ami = "ami-08706cb5f68222d09"
instance_type = "t2.micro"
key_name = "task4"
subnet_id= aws_subnet.ananya_public_subnet.id
vpc_security_group_ids=[aws_security_group.bastion_ssh_only.id]
tags = {
Name = "bastion_host"
}
}Step 10:- Now, we run our terraform code. For doing so, we first run the command terraform init. This will download the necessary plugins.
Then, we run the command terraform apply — auto-approve. This will run the code and create the mentioned resources on the configured AWS Cloud.
Soon, we see that all our resources are added !!
Now, we can access our WordPress site using the Public IP address that is mentioned in the instance description.
Thanks for reading :)
