Creating a web portal with all the security as much as possible on AWS
Hey there! This time we are creating a web portal let’s say for a company with as much security we can add from ourself on AWS. But the thing is we will try to use terraform as much as possible (for some of the steps we could go manually).
So, basically we are going to use Wordpress software with a dedicated database server. And to enhance security, the database will not be accessible from the outside world. We only need to keep the WordPress site in the public domain so that the clients can connect to it.
So here are the steps for proper understanding! We will then perform the following steps late in this article.
- Create a VPC
- In that VPC we have to create 2 subnets (public and private).
- Create a public-facing internet gateway for connecting our VPC/Network to the internet world and attach this gateway to our VPC.
- Create a routing table for Internet gateway so that instance can connect to the outside world, update and associate it with the public subnet.
- Launch an
EC2
instance which has MYSQL in the private subnet. - Launch an
EC2
instance which has WordPress in the public subnet.
Note that MySQL instance has to be part of private subnet so that outside world can’t connect to it.
So let’s begin building:
Step 1: Create a VPC
For creating VPC we will use aws_vpc
resource. We required to provide cidr_block
here also don’t forget to set enable_dns_hostnames
to be true so that instances with public IP addresses get corresponding public DNS hostnames.
Step 2: Creating Subnets
Now we are launching two subnets, one will be the private one subnet-b
and the other one will be public subnet-a
. Note that we have provided half of vpc cidr_block
to the private subnet and the rest to the public subnet. And don’t forget to set map_public_ip_on_launch
true for the public subnet so that instances launched into the subnet should be assigned a public IP address.
Step 3: Creating an Internet Gateway and connecting it to the VPC
Using aws_internet_gateway
resource we can easily connect the internet gateway with the VPC. Here we have shown how to connect one and have named it as igw
.
Step 4: Creating a routing table for internet gateway and associating it
As shown in the code we have created a routing table using aws_route_table
resource for internet gateway and then we have associated it with the public subnet subnet-a
so that instance of the public subnet can connect to the outside world. To know more about the various arguments used, click here.
Step 5: Launching MySQL instance
So, it’s time to launch our first instance, i.e. for MySQL, in the private subnet. But before that, we will create a security group which will allow only requests on port 3306
and 22
for MySQL and SSH from WordPress instance only. Then we will launch the instance for MySQL. But to set up user privileges for MySQL we have to do it manually, that we’ll do after launching WordPress instance.
Note that private subnet doesn’t have internet connectivity to we will use an instance with pre-installed mysql-server
(to know how to enable the internet connectivity using NAT gateway for the private subnet, click here).
Step 6: Launching Instance for WordPress
Again first we create a security group for WordPress and allowing requests on port 80
and 22
i.e. HTTP and SSH. Then we have launched an instance for WordPress using that security group. Here we have to use remote-exec
provisioner to set up WordPress in that instance and provide it with the IP of the Database instance.
Well by now we have done most of the things, the only thing left is to set appropriate privileges for the MySQL user by logging on that instance, but we can access that instance only from WordPress instance, so we need to transfer the key (the key we used while creating MySQL instance) to WordPress instance and then using that key login to MySQL instance from WordPress instance and do the required over there.
So to transfer the key we have usedscp
using local-exec
provisioner:
Then we will use the key to login in MySQL instance using SSH command :
Then use the following commands to set the required privileges for MySQL user.
Finally, the set-up is ready now, you can use connect to public IP of WordPress-Instance. And sign up and login and can start working on the site.
This way the story comes to an end. Thanks for stopping by. Until next time!
You can find the complete code at:
Let’s connect over Linkedin: