Hybrid Cloud Computing Task 3
Naitik Shah
Data Scientist & Machine Learning Engineer | Python, SQL, PyTorch, TensorFlow | NLP, Computer Vision, Predictive Analytics | Turning Data into $1.3M+ Business Impact
Hey fellas,
I bring you the Hybrid Cloud Computing task 3.
What is this task all about?
The motive is for our company to build a completely protected Web Portal. For this, I built a WordPress App setup with a dedicated Database server that will be accessible only by WordPress and not by the outside world.
What is WordPress?
WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes. WordPress was originally created as a blog-publishing system but has evolved to support other types of web content including more traditional mailing lists and forums, media galleries, membership sites, learning management systems (LMS) and online stores. WordPress is used by more than 60 million websites, including 33.6% of the top 10 million websites as of April 2019, WordPress is one of the most popular content management system solutions in use. WordPress has also been used for other application domains such as pervasive display systems (PDS).
Problem statement:
We have to create a web portal for our company with all the security as much as possible. So, we use the WordPress software with a dedicated database server. The database should not be accessible from the outside world for security purposes. We only need the public WordPress to clients.
So here are the steps for proper understanding!
- Write an Infrastructure as code using Terraform, which automatically create a VPC.
2. In that VPC we have to create 2 subnets:
a) public subnet [ Accessible for Public World!]
b) private subnet [ Restricted for Public World!]
3. Create a public-facing internet gateway for connecting our VPC/Network to the internet world and attach this gateway to our VPC.
4. Create a routing table for Internet gateway so that instance can connect to the outside world, update and associate it with the public subnet.
5. Launch an ec2 instance which has WordPress setup already having the security group allowing port 80 so that our client can connect to our WordPress site. Also, attach the key to an instance for further login into it.
6. Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in a private subnet so that our WordPress VM can connect with the same. Also, attach the key with the same.
Note: WordPress instance has to be part of public subnet so that our client can connect our site. MySQL instance has to be part of private subnet so that the outside world can't connect to it. Don't forget to add auto IP assign and auto DNS name assignment option to be enabled.
So let's start with the problem statement solving:
Step 1: Log in to your IAM account using CMD, you may ask that why CMD, why not GUI? because, in the real world(I mean in the job world) developers use Command Prompt, and it is a good practice to make a habit of using Command Prompt.
Step 2: After you have successfully logged into your IAM account from your command prompt, we will now create a VPC in step 2. Amazon virtual private cloud(Amazon VPC) allows you to provisionally and virtually isolate a section of AWS cloud, where you can launch AWS resources on a virtual network that you define. In this, you have the complete control over your virtual private network that you define. You have complete control over your virtual networking environment, including a selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.
Terraform code for the same is, and it is always a good practice to store all of your terraform codes of a particular task you are solving in a folder, so it well sorted and easy to access:
resource "aws_vpc" "naitik2_vpc" {
cidr_block = "192.168.0.0/16"
instance_tenancy = "default"
enable_dns_hostnames = true
tags = {
Name = "naitik2_vpc"
}
}
Step 3: Now as the problem statement states, we need to create tow subnets:
a. public subnet [ Accessible for Public World!]
b. private subnet [ Restricted for Public World!]
So, we will be doing the same in this step.
Before moving forward towards the code, let's understand what s Subnet:
A subnet is “part of the network”, in other words, part of the entire availability zone. Each subnet must reside entirely within one Availability Zone and cannot span zones. The terraform code to create both the Private & the Public Subnet is as follows :
resource "aws_subnet" "naitik2_public_subnet" {
vpc_id = "${aws_vpc.naitik2_vpc.id}"
cidr_block = "192.168.0.0/24"
availability_zone = "ap-south-1a"
map_public_ip_on_launch = "true"
tags = {
Name = "naitik2_public_subnet"
}
}
resource "aws_subnet" "naitik2_private_subnet" {
vpc_id = "${aws_vpc.naitik2_vpc.id}"
cidr_block = "192.168.1.0/24"
availability_zone = "ap-south-1a"
tags = {
Name = "naitik2_private_subnet"
}
}
Step 4: In this step, we will be creating a public-facing internet gateway. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
The Terraform code for the same is:
resource "aws_internet_gateway" "naitik2_gw" {
vpc_id = "${aws_vpc.naitik2_vpc.id}"
tags = {
Name = "naitik2_gw"
}
}
I will recommend naming your AWS features, which you can easily understand just by looking the name, like for example, I named naitik2_gw for my internet gateway for IAM user naitik2.
Step 5: Next, we create a Routing Table & associate it with the Public Subnet. A routing table, or routing information base (RIB), is an electronic file or database-type object that is stored in a router or a networked computer, holding the routes (and in some cases, metrics associated with those routes) to particular network destinations. This information contains the topology of the network close to it.
The Terraform code for the same is stated below:
resource "aws_route_table" "naitik2_rt" {
vpc_id = "${aws_vpc.naitik2_vpc.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.naitik2_gw.id}"
}
tags = {
Name = "naitik2_rt"
}
}
resource "aws_route_table_association" "naitik2_rta" {
subnet_id = "${aws_subnet.naitik2_public_subnet.id}"
route_table_id = "${aws_route_table.naitik2_rt.id}"
}
Step 6: Now in this step we will create a security group which I will be using while launching WordPress. This security group has permissions for outside connectivity. A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. Security groups are associated with network interfaces.
resource "aws_security_group" "naitik2_sg" {
name = "naitik2_sg"
vpc_id = "${aws_vpc.naitik2_vpc.id}"
ingress {
description = "allow_http"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0"]
}
ingress {
description = "allow_ssh"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "allow_icmp"
from_port = 0
to_port = 0
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "allow_mysql"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "naitik2_sg"
}
}
Step 7: Now we will be creating one more security group, which we will be using to launch MySQL database. This security group will keep MySQL accessible only through WordPress and not through the outside world.
resource "aws_security_group" "naitik2_sg_private" {
name = "naitik2_sg_private"
vpc_id = "${aws_vpc.naitik2_vpc.id}"
ingress {
description = "allow_mysql"
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = [aws_security_group.naitik2_sg.id]
}
ingress {
description = "allow_icmp"
from_port = -1
to_port = -1
protocol = "icmp"
security_groups = [aws_security_group.naitik2_sg.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "naitik2_sg_private"
}
}
Step 8: Now, the time has come to launch WordPress and MySQL instances with all of the resources we have created in the above steps.
WordPress:
resource "aws_instance" "wordpress" {
ami = "ami-ff82f990"
instance_type = "t2.micro"
key_name = "naitik2_key"
subnet_id = "${aws_subnet.naitik2_public_subnet.id}"
security_groups = ["${aws_security_group.naitik2_sg.id}"]
associate_public_ip_address = true
availability_zone = "ap-south-1a"
tags = {
Name = "naitik2_wordpress"
}
}
MySQL:
resource "aws_instance" "sql" {
ami = "ami-08706cb5f68222d09"
instance_type = "t2.micro"
key_name = "naitik2_key"
subnet_id = "${aws_subnet.naitik2_private_subnet.id}"
availability_zone = "ap-south-1a"
security_groups = ["${aws_security_group.naitik2_sg_private.id}"]
tags = {
Name = "naitik2_sql"
}
}
Step 9: Now we will run our terraform code, for doing it, run the command Terraform init, this command will download all of the necessary plugins required.
Once you have done that, run the command: terraform apply --auto-approve
This will run the code and create the mentioned resources on the configured AWS Cloud.
Now in the AWS dashboard, you will see all of your resources running, which says that you have successfully allocated resources.
We can access our WordPress site using the Public IP address that is mentioned in the instance description.
And, congratulations! on successfully completing this task, which includes a Database Server(a dedicated one) that can be accessed only by WordPress which in turn ensures ultimate security of our content, now pat your back, because you have completed your task successfully.
Bye guys! see you next time!