Creating a web portal with secure VPC on AWS with NAT Gateway for private subnet
In this article, we will launch WordPress on AWS by considering the security measure. This project has the following key points:
- Deploying a WordPress site in a Public Subnet
- Deploying a MySQL database in a Private Subnet
- Deploying a Bastion Host for MySQL database updates.
- Prerequisites-
- You must have an AWS account.
- Terraform must be installed.
What we have to do :
? Write an Infrastructure as code using terraform, which automatically create a VPC.
In that VPC we have to create 2 subnets:
1. public subnet [ Accessible for Public World! ]
2. private subnet [ Restricted for Public World! ]
?Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.
? Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
? Create a NAT gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network
? Update the routing table of the private subnet, so that to access the internet it uses the NAT gateway created in the public subnet
? Launch an ec2 instance which has WordPress setup already having the security group allowing port 80 so that our client can connect to our WordPress site. Also attach the key to instance for further login into it.
? Launch an ec2 instance which has MySQL setup already with security group allowing port 3306 in private subnet so that our WordPress VM can connect with the same.
?
Note:
→WordPress instance has to be part of public subnet so that our client can connect our site.
→MySQL instance has to be part of private subnet so that outside world can’t connect to it.
→Don’t forgot to add auto IP assign and auto DNS name assignment option to be enabled.
so lets start.
make a folder on desktop(or anywhere on device) and save a text file in .tf format. Here the .tf format represents that the file is of terraform. Now write your code inside that terraform file.
login to the aws account -
provider "aws" {
region = "ap-south-1"
profile = "aditya"
}
Step 1) Creating the VPC -
resource "aws_vpc" "project_vpc" {
cidr_block = "192.168.0.0/16"
instance_tenancy = "default"
tags = {
Name = "project_vpc"
}
}
Step 2) In that VPC we have to create 2 subnets:
a) public subnet [ Accessible for Public World! ]
here we have added "map public IP on launch". It means all the instances launched in this subnet will get a public IP on launching as this feature is disabled by default.
resource "aws_subnet" "public_subnet-1a" {
vpc_id = aws_vpc.project_vpc.id
cidr_block = "192.168.0.0/24"
map_public_ip_on_launch = "true"
availability_zone= "ap-south-1a"
tags = {
Name = "public_subnet-1a"
}
}
b) private subnet [ Restricted for Public World! ]
resource "aws_subnet" "private_subnet-1b" {
vpc_id = aws_vpc.project_vpc.id
cidr_block = "192.168.1.0/24"
availability_zone= "ap-south-1b"
tags = {
Name = "private_subnet-1b"
}
}
}
Step 3) Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.
resource "aws_internet_gateway" "ig-way" {
vpc_id = aws_vpc.project_vpc.id
tags = {
Name = "main"
}
depends_on = [
aws_vpc.project_vpc
]
}
Step 4) Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
#route_table
resource "aws_route_table" "route-table" {
vpc_id = aws_vpc.project_vpc.id
depends_on = [aws_internet_gateway.ig-way ]
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.ig-way.id
}
tags = {
Name = "route-table"
}
}
#route_table_association
resource "aws_route_table_association" "associate" {
subnet_id = aws_subnet.public_subnet-1a.id
route_table_id = aws_route_table.route-table.id
}
Step 5) Create a Elastic IP for association with NAT Gateway.
resource "aws_eip" "eip_for_NAT" {
vpc = true
}
Step 6)Create the NAT Gateway in the VPC for private subnet.
resource "aws_nat_gateway" "NAT-gateway" {
depends_on = [aws_internet_gateway.ig-way,aws_eip.eip_for_NAT]
allocation_id = aws_eip.eip_for_NAT.id
subnet_id = aws_subnet.public_subnet-1a.id
tags = {
Name = "NAT-gateway"
}
}
Step 7) Create a routing table for NAT Gateway so that instance can connect to outside world, update and associate it with private subnet.
#route_nat
resource "aws_route_table" "route-nat" {
depends_on = [aws_nat_gateway.NAT-gateway]
vpc_id = aws_vpc.project_vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.NAT-gateway.id
}
tags = {
Name = "route-nat"
}
}
#nat_route_associaton
resource "aws_route_table_association" "nat-associate" {
depends_on = [aws_route_table.route-nat]
subnet_id = aws_subnet.private_subnet-1b.id
route_table_id = aws_route_table.route-nat.id
}
Step 8) Creating the security groups -
- For instances to be launched in public subnet that allows HTTP and SSH -
resource "aws_security_group" "allow_http_ssh" {
name = "allow_http_ssh"
description = "allow http inbound traffic"
vpc_id = aws_vpc.project_vpc.id
ingress {
description = "HTTP from VPC"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_http_ssh"
}
}
2. For instance to be launched in private subnet that allows SQL port 3306 and SSH port 22 for Bastion Host -
resource "aws_security_group" "sec-sql" {
name = "sec-sql"
description = "database"
vpc_id = aws_vpc.project_vpc.id
ingress {
protocol = "tcp"
from_port = 3306
to_port = 3306
security_groups = [aws_security_group.allow_http_ssh.id]
}
ingress {
description = "SSH for Bastion"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags ={
Name= "sec-sql"
}
}
3. Creating a security group for Bastion Host. Bastion Host is an instance launched in the public subnet which is used to access and make changes in the MySQL database instance which is launched in the private subnet.
resource "aws_security_group" "bastion_security" {
name = "bastion_security"
description = "allow ssh"
vpc_id = aws_vpc.project_vpc.id
ingress {
description = "bastion host allow ssh"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags ={
Name= "bastion_security"
}
}
Step 9) Creating the key pairs to be assigned to the instances launched in public subnet. Also we will save a copy of that key on our local device for further SSH.
resource "tls_private_key" "task4key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "local_file" "private_key" {
content = tls_private_key.task4key.private_key_pem
filename = "task4key.pem"
}
resource "aws_key_pair" "task4key" {
key_name = "task4key"
public_key = "${tls_private_key.task4key.public_key_openssh}"
}
Step 10) Launching the instance in public subnet which already have a WordPress server configured and attach the created security group and key pair -
resource "aws_instance" "wordpress_instance" {
ami = "ami-000cbce3e1b899ebd"
instance_type = "t2.micro"
key_name = "${aws_key_pair.task4key.key_name}"
subnet_id = aws_subnet.public_subnet-1a.id
vpc_security_group_ids = [ aws_security_group.allow_http_ssh.id ]
associate_public_ip_address = "true"
depends_on = [
aws_security_group.allow_http_ssh
]
tags = {
Name = "wordpress_instance"
}
}
Now launch the Bastion host in the public subnet with the created security group and key pair which will be used to modify and access the database instance.
resource "aws_instance" "bastion_host_instance" {
ami = "ami-0e306788ff2473ccb"
instance_type = "t2.micro"
key_name = "${aws_key_pair.task4key.key_name}"
subnet_id = aws_subnet.public_subnet-1a.id
vpc_security_group_ids = [ aws_security_group.bastion_security.id ]
associate_public_ip_address = "true"
depends_on = [
aws_security_group.bastion_security
]
tags = {
Name = "bastion_host_instance"
}
}
Now we will launch the instance in private subnet which already has MySQL server configured and also attached the created security group. Here we have also attached the security group of Bastion host so that it can access the instance.
resource "aws_instance" "mysql_instance" {
ami = "ami-0019ac6129392a0f2"
instance_type = "t2.micro"
key_name = "${aws_key_pair.task4key.key_name}"
subnet_id = aws_subnet.private_subnet-1b.id
vpc_security_group_ids = [ aws_security_group.sec- sql.id,aws_security_group.bastion_security.id ]
depends_on = [
aws_security_group.sec-sql
]
tags = {
Name = "mysql_instance"
}
}
Hence our terraform IAC is complete. Now to run this file, we will go to the terminal and change the directory to the folder which we have created for saving the files.
Now run the following commands -
- To download and initialize all the required plugins -
terraform init
2. To check the validity of the code -
terraform validate
3. To run the code -
terraform apply --auto-approve
Here are the outputs -
created resources -
VPC -
Subnets -
Internet Gateway -
Elastic IP associated with NAT Gateway -
NAT Gateway -
Routing tables associated with subnets -
Security Groups -
Key-pair -
Launched Instances in their respective subnets -
Bastion Host for MySQL updates -
Here is the final Deployment -
Now to destroy this complete setup in just one click run the command -
terraform destroy --auto-approve
result -
Our deployment is completed !
Thanks for reading!!