Creating a web portal with all the security as much as possible on AWS

5 min readSep 5, 2020

Hey there! This time we are creating a web portal let’s say for a company with as much security we can add from ourself on AWS. But the thing is we will try to use terraform as much as possible (for some of the steps we could go manually).

So, basically we are going to use Wordpress software with a dedicated database server. And to enhance security, the database will not be accessible from the outside world. We only need to keep the WordPress site in the public domain so that the clients can connect to it.

So here are the steps for proper understanding! We will then perform the following steps late in this article.

Create a VPC
In that VPC we have to create 2 subnets (public and private).
Create a public-facing internet gateway for connecting our VPC/Network to the internet world and attach this gateway to our VPC.
Create a routing table for Internet gateway so that instance can connect to the outside world, update and associate it with the public subnet.
Launch an EC2 instance which has MYSQL in the private subnet.
Launch an EC2 instance which has WordPress in the public subnet.

Note that MySQL instance has to be part of private subnet so that outside world can’t connect to it.

So let’s begin building:

Step 1: Create a VPC

For creating VPC we will use aws_vpc resource. We required to provide cidr_block here also don’t forget to set enable_dns_hostnames to be true so that instances with public IP addresses get corresponding public DNS hostnames.

Step 2: Creating Subnets

Now we are launching two subnets, one will be the private one subnet-b and the other one will be public subnet-a. Note that we have provided half of vpc cidr_block to the private subnet and the rest to the public subnet. And don’t forget to set map_public_ip_on_launch true for the public subnet so that instances launched into the subnet should be assigned a public IP address.

Step 3: Creating an Internet Gateway and connecting it to the VPC

Using aws_internet_gateway resource we can easily connect the internet gateway with the VPC. Here we have shown how to connect one and have named it as igw.

Step 4: Creating a routing table for internet gateway and associating it

As shown in the code we have created a routing table using aws_route_table resource for internet gateway and then we have associated it with the public subnet subnet-a so that instance of the public subnet can connect to the outside world. To know more about the various arguments used, click here.

Step 5: Launching MySQL instance

So, it’s time to launch our first instance, i.e. for MySQL, in the private subnet. But before that, we will create a security group which will allow only requests on port 3306 and 22 for MySQL and SSH from WordPress instance only. Then we will launch the instance for MySQL. But to set up user privileges for MySQL we have to do it manually, that we’ll do after launching WordPress instance.

Note that private subnet doesn’t have internet connectivity to we will use an instance with pre-installed mysql-server(to know how to enable the internet connectivity using NAT gateway for the private subnet, click here).

Step 6: Launching Instance for WordPress

Again first we create a security group for WordPress and allowing requests on port 80 and 22 i.e. HTTP and SSH. Then we have launched an instance for WordPress using that security group. Here we have to use remote-exec provisioner to set up WordPress in that instance and provide it with the IP of the Database instance.

Well by now we have done most of the things, the only thing left is to set appropriate privileges for the MySQL user by logging on that instance, but we can access that instance only from WordPress instance, so we need to transfer the key (the key we used while creating MySQL instance) to WordPress instance and then using that key login to MySQL instance from WordPress instance and do the required over there.

So to transfer the key we have usedscp using local-exec provisioner:

Then we will use the key to login in MySQL instance using SSH command :