Creating VPC | Subnet | Route table | Internet Gateway | NAT Gateway and launching Wordpress | MySQL in our VPC Using Terraform
Performing the following steps:
1. Write an Infrastructure as code using terraform, which automatically create a VPC.
2. In that VPC we have to create 2 subnets:
a ). public subnet [ Accessible for Public World! ]
b ). private subnet [ Restricted for Public World! ]
3. Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.
4. Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
5. Create a Security Group in our created VPC in public subnet for wordpress instance which allow only HTTP port 80. So that only our clint can visit wordpress site and no one can do ssh to wordpress instance. Then our wordpress instance will be highly secure.
6. Create a Security Group in our created VPC in private subnet for MySQL DataBase instance which allow only TCP port 3306 and in source type we give wordpress security group id insted of all ip. So if any clint come to our wordpress site then wordpress connect to MySQL and get data. And no one can access our DataBase from public world. So our MySQL DataBase will be highly secure.
7. Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 sothat our client can connect to our wordpress site. Also attach the key to instance for further login into it.
8. Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same. Also attach the key with the same.
9. Create a NAT gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network. First we create Elastic IP because for creating NAT gateway we have to allocate Elastic IP.
10. Create a route table and Update the routing table of the private subnet, so that to access the internet it uses the nat gateway created in the public subnet.
>>> Step 9 and 10 for future use. Suppose if we want to go to MySQL instance and want to update something then there is no option for ssh in MySQL so we do step 9 and 10 which provide internate gateway to MySQL instance but still no one from public world can go inside.
11. We create bastion host from this instance we can login to MySQL instance before that we create 1 security group which has ssh port 22 and source IP anywhere. This SG we allocate to bastion host instance and one more security group which which has ssh port 22 and source IP of bastion host security group. This SG we allocate to MySQL instance. So that only those can login to MySQL who come from Bastion Host.
Pre-requisite:-
>>> Create an account on AWS
>>> Create a IAM user with Admin Access power and download the .csv file .
>>> Install AWS CLI on your base os (In my case i am using MacOS). Install AWS CLI using this link >>> https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-windows.html
>>> Install terraform in your base OS. Install terraform using this link >>> https://learn.hashicorp.com/terraform/getting-started/install.html
>>> Now configure aws then enter access key , Secret key and region. (On the place of ankit write your IAM user profile name)
>>> Here i am expecting you already created a key pair.
Step: 1
>>> Now start creating terraform code.
First create a folder And Create a vpc.tf file (You can write any name but extension must be .tf )
>>> Understand VPC
>>> VPC is a network which keeps our infrastructure isolated from outside world known as virtual us a virtual space to create an infrastructure which looks like real. so other company can’t see what’s happening over here. Only 5 VPC Amazon allow us to create if you want to create more than we have to contact support team.
>>> Now create VPC . Here give provider name region and create our profile.
>>> Before applying first download the plugins. by using terraform init command. This will take some time depends upon your internet speed.
NOTE:- Every command you have to run inside that folder where your .tf file is present. In my case my .tf file is inside vpc folder.
>>> Now run our code using this terraform apply command.
>>> Enter yes to approve.
>>> In one or two minute your vpc will be created.
Step: 2
>>> Now create two subnet in different availability zones for security and management purposes. One subnet 1 created in 1a availability zone and others in 1b of the Mumbai region. Here CIDE specifies the range of IP used by the subnet and map_public_ip_on_launch provide the public IP for the outer world connectivity. I provide the connectivity only subnet 1 where our WordPress website launch. And we do not provide the outer world connectivity to subnet 2 because I don't want any outsider to come and see my database data.
>>> Now run you can use this command terraform apply -auto-approve (This command will not ask you to enter yes to approve it will automatically approve ). From now i will use terraform apply -auto-approve
>>> Subnet will be created.
>>> Unamed subnet is part of default VPC.
Step: 3
>>> Now we create one Internet gateway. We create this gateway because all the traffic of VPC goes out and comes in using this internet gateway. We only attach one internet gateway to one VPC. Without the Internet getaway, we can’t connect to the outside world.
Step: 4
>>> Now we create Route table. Route tables provide the path through which our packet travels from the private world to the public world and vice-versa. All IP-enabled devices, including routers and switches, use routing tables.
>>> Now we attach this Route table to our subnet 1. only because we want our subnet 2 doesn't have outside connectivity. Attaching the routing table to subnet is called as route_table_association.
Step: 5
>>> We are going to create a Security group in this VPC for wordpress. Because without the security group we can’t launch our wordpress EC2 instance.
Step: 6
>>> We are going to create a Security group in this VPC for MySQL. Because without the security group we can’t launch our MySQL EC2 instance.
Step: 7 and 8
>>> Now Finally create an instance for wordpress which is in public subnet and an instance for mysql which is in private subnet.
>>> You can chose any AMI and install wordpress but the AMI i chossen is pre created wordpress and Mysql . For practice you can use this AMI ID .
NOTE : If you use this AMI ami-7e257211 for creating wordpress instance. You may get this error. When you apply terraform code.
>>> Then copy the selected link and past it into browser and subscribe this AMI.
>>> Now apply again terraform.
>>> Here you can see one instance in public subnet and other in private.
>>> After launching the instance you will notice your MySQL instance doesn’t have any public DNS and IP but WordPress have.
>>> Now copy the public DNS name of wordpress instance and paste it on browser.
>>> One page pops up and It will ask for your instance id. Copy the instance id of WordPress and paste it.
>>> Then click on the WordPress password. It will ask you to generate one password. In my case my password is ankit123.
>>> Now scroll down and click on login to wordpress Dashboard So that you can write or edit your first blog.
>>> One login console is come up, use the user name Aurora and password you generated above. In my case, I put ankit123 as a password.
>>> Now write your 1st blog and post it.
>>> Now for login to MySQL instance follow these steps.
Step: 9
NAT Gateway: NAT gateway also known as Network Address Translation Gateway, is used to enable instance present in private subnet to help connect to the internet but prevent the internet from initiating a connection with those instances. Every NAT gateway has to be created in a specific reason or availability zone.
Elastic IP (eip): And elastic IP address is a static IPV4 address designed for dynamic cloud computing with an elastic IP address you can mask the failure of an instance or software by rapidly remapping the address to other instance in your accoun.t An elastic IP address is a public IPV4 address which is reachable from the internet.
Step: 10
Step: 11
A bastion-host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally host a single application, for example a proxy server, and all other service are removed or limited to reduce the threat to the computer.
>>> Allocate this security group to MySQL instance.
>>> Now you can login to MySQL from bastion host instance but for that you have to copy your key into bastion host because without key you can't login. So if you have requirement in future to login to MySQL the at the time of launching attach a key to MySQL .
>>> I used key key1.pem for all instance but it's good to use different different key for every os.
>>> Now copy the key to bastion os. If you base os MacOS the you can use FileZilla software to copy the key to bastion host. For windows you can use WinScp.
>>> Now you can check in our bastion os we have key1.pem
>>> From bastion os i am going to do ssh to MySQL. For this i used Private IP of MySQL because Public IP is not assigned to MySQL and even we don't need to because in same VPC (network) we can connect from private ip.
>>> If your facing error in login then run this command chmod 400 key1.pem (on the place of key1 write your keyName)
>>> Now we are in MySQL . You can check Private IP of both os is different.
>>> Now you can install any software or update ant this which you need in MySQL os.
>>> Now In one click Whole infrastructure will be deleted using terraform destroy -auto-approve
