Launching Wordpress and MySQL in our VPC Using Terraform
Performing the following steps:
1. Write an Infrastructure as code using terraform, which automatically create a VPC.
2. In that VPC we have to create 2 subnets:
a ). Public Subnet [ Accessible for Public World! ]
b ). Private Subnet [ Restricted for Public World! ]
3. Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.
4. Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
5. Create a Security Group in our created VPC in public subnet for wordpress instance which allow only HTTP port 80. So that only our clint can visit wordpress site and no one can do ssh to wordpress instance. Then our wordpress instance will be highly secure.
6. Create a Security Group in our created VPC in private subnet for MySQL DataBase instance which allow only TCP port 3306 and in source type we give wordpress security group id insted of all ip. So if any clint come to our wordpress site then wordpress connect to MySQL and get data. And no one can access our DataBase from public world. So our MySQL DataBase will be highly secure.
7. Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 sothat our client can connect to our wordpress site. Also attach the key to instance for further login into it.
8. Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same. Also attach the key with the same.
9. Create a NAT gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network. First we create Elastic IP because for creating NAT gateway we have to allocate Elastic IP.
10. Create a route table and Update the routing table of the private subnet, so that to access the internet it uses the nat gateway created in the public subnet.
>>> Step 9 and 10 for future use. Suppose if we want to go to MySQL instance and want to update something then there is no option for ssh in MySQL so we do step 9 and 10 which provide internate gateway to MySQL instance but still no one from public world can go inside.
11. We create bastion host from this instance we can login to MySQL instance before that we create 1 security group which has ssh port 22 and source IP anywhere. This SG we allocate to bastion host instance and one more security group which which has ssh port 22 and source IP of bastion host security group. This SG we allocate to MySQL instance. So that only those can login to MySQL who come from Bastion Host.
We create two Subnets. One subnet has the Public access and one subnet has Private access. To make the subnet private we do not connect with the routing table.
We create one Internet Gateway to provide our VPC outside world connectivity. Without the internet gateway, we can’t send our packet into the public world.
We create one route table which we connect with the subnet 1a because we provide the public access to it. The process of attaching is called route table association.
NAT Gateway:- is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). It always requires one elastic IP. So we also create one EIP for that. Make sure always connect the NAT gateway with a public subnet. Because in our case only Subnet 1a has connected with an internet gateway.
Now we create one NAT gateway.
(Note:- Nat Gateway is not free service it will charge some money)
We create one more route table in which we connect with NAT.
Now create the 4 Security group/ 4 firewalls which allow only specific requests to go inside the instances and block the rest of them.
Baston OS/ Jump Box:- It is the OS/Instance we launch for the maintenance purpose only. Suppose we create one Instance which doesn’t have public access because of some security purposes and we need to maintain it, to overcome this problem we create one Baston Os and launch it in a public subnet. We connect with this os and this os go inside the private subnet and connect with the instance which is running in private instance. The only challenge is, private instance also connects with one NAT gateway.
Security group 1:- We assign this SG to our WordPress. And only allow port 80. Because we want Client can only read/access our website.
Security group 2:- We assign this SG to our MySQL instance. And we Only want that it can only access by our Wordpess. So we allow only port no 3306 and this request only comes from SG1.
Security group 3:- We create this SG for Baston Os/Jump Box. We allow Port no 22 (SSH). Because we want that, we can access this Instance anywhere from the world.
Security group 4:- We create SG4 to allow that request which is coming from the SG3 only.
$ Lastly we create 3 instances. One for WordPress, Second for MySql, and Third for maintenance/Baston OS.
WordPress Instance
Baston Instance
MySql Instance
In MySQL instance, we attach 2 SG one allows the request to come from Wordpess and Another allows the request from Baston os.
$ Now we login inside the Baston os. This type of Consol will appear.
Now upload the key which is present in your system into Baston OS using any software. This helps us to connect with MySQL. In my case I use WinSCP.
In the password section select the advance option.
In the above step, we only connect our local system to the Baston os. When the connection is established then select the path where your key is present and drop to the other side. And now your key is copied from your local system to Baston os.
use cmd chmod 400 your_key_name. This cmd gives permission to your key to execute.
Now execute ssh -i your_key_name -l ec2-user your_private_ip_of_Mysql cmd.