Hybrid Cloud Computing Task 4
Naitik Shah
Data Scientist | Machine Learning Engineer | AI & MLOps | Generative AI, NLP & Big Data | Fraud Analytics & Predictive Modeling | AWS | Azure | GCP
Hey fellas, presenting you my Hybrid Cloud Computing Task 4, which I am doing under the mentorship of Vimal Daga Sir. Have completed Task 4, or not enrolled in the Hybrid Cloud Computing course? stick to this page because I am solving a real problem statement that you might need later.
The problem statement is:
- Write an Infrastructure as code using Terraform, which automatically creates a VPC.
- In that VPC we have to create 2 subnets:
- public subnet [ Accessible for Public World! ]
- private subnet [ Restricted for Public World! ]
- Create a public-facing internet gateway to connect our VPC/Network to the internet world and attach this gateway to our VPC.
- Create a routing table for Internet gateway so that instance can connect to the outside world, update and associate it with the public subnet.
- Create a NAT gateway for connecting our VPC/Network to the internet world and attach this gateway to our VPC in the public network
- Update the routing table of the private subnet, so that to access the internet it uses the nat gateway created in the public subnet
- Launch an ec2 instance that has WordPress setup already having the security group allowing port 80 so that our client can connect to our WordPress site. Also, attach the key to the instance for further login into it.
- Launch an ec2 instance that has MYSQL setup already with security group allowing port 3306 in a private subnet so that our WordPress VM can connect with the same. Also, attach the key with the same.
Note: WordPress instance has to be part of the public subnet so that our client can connect to our site. MySql instance has to be part of a private subnet so that the outside world can't connect to it. Don't forget to add auto IP assign and auto DNS name assignment options to be enabled.
Before moving forward, let's first see what is WordPress?
WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes. WordPress was originally created as a blog-publishing system but has evolved to support other types of web content including more traditional mailing lists and forums, media galleries, membership sites, learning management systems (LMS), and online stores. WordPress is used by more than 60 million websites, including 33.6% of the top 10 million websites as of April 2019, WordPress is one of the most popular content management system solutions in use. WordPress has also been used for other application domains such as pervasive display systems (PDS).
Next, let's see what is Bastion Host?
A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example, a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or in a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers. A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attacks, a bastion host must minimize the chances of penetration. For example, you can use a bastion host to mitigate the risk of allowing SSH
So, excited about the problem statement solving? Let's head towards it.
Step 1: If you have used AWS CLI before, you might know that the first and foremost step of using AWS CLI is AWS configure, so type the below command:
aws configure --profile naitik2
AWS Access Key ID [****************AHNK]:
AWS Secret Access Key [****************n/lk]:
Default region name [ap-south-1]:
Default output format [None]:
Step 2: In this step, we will create a VPC. We will create Amazon VPC (which stands for Amazon Virtual Private Cloud), which lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including a selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.
The Terraform code for the same is given below:
resource "aws_vpc" "naitik2_vpc" {
cidr_block = "192.168.0.0/16"
instance_tenancy = "default"
enable_dns_hostnames = true
tags = {
Name = "naitik2_vpc"
}
}
Step 3: Now we will create two subnets:
- public subnet [ Accessible for Public World! ]
- private subnet [ Restricted for Public World! ]
A subnet is “part of the network”, in other words, part of the entire availability zone. Each subnet must reside entirely within one Availability Zone and cannot span zones. I am giving the Terraform code for creating two subnets, private and public below:
resource "aws_subnet" "naitik2_public_subnet" {
vpc_id = "${aws_vpc.naitik2_vpc.id}"
cidr_block = "192.168.0.0/24"
availability_zone = "ap-south-1a"
map_public_ip_on_launch = "true"
tags = {
Name = "naitik2_public_subnet"
}
}
resource "aws_subnet" "naitik2_private_subnet" {
vpc_id = "${aws_vpc.naitik2_vpc.id}"
cidr_block = "192.168.1.0/24"
availability_zone = "ap-south-1a"
tags = {
Name = "naitik2_private_subnet"
}
}
Step 4: In step 4, we will create a public-facing gateway. An internet gateway is a VPC component that is horizontally scalable, redundant, and highly accessible allowing connectivity between your VPC and the internet.
The Terraform code is:
resource "aws_internet_gateway" "naitik2_gw" {
vpc_id = "${aws_vpc.naitik2_vpc.id}"
tags = {
Name = "naitik2_gw"
}
}
Step 5: Then, we create a routing table and connect the Public Subnet with it. A routing table (RIB) is an electronic file or database-type item that is stored on a router or networked device which contains the routes (which, in some cases, the metrics associated with such routes) to various destinations on the network. The topology of the network close to it is included in these results.
The Terraform code can be found below:
resource "aws_route_table" "naitik2_rt" {
vpc_id = "${aws_vpc.naitik2_vpc.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.naitik2_gw.id}"
}
tags = {
Name = "naitik2_rt"
}
}
resource "aws_route_table_association" "naitik2_rta" {
subnet_id = "${aws_subnet.naitik2_public_subnet.id}"
route_table_id = "${aws_route_table.naitik2_rt.id}"
}
Step 6: Now we are building our protection community that will be used as WordPress is released. This security group has External Communication rights. To control incoming and outgoing traffic, a security group acts as a virtual firewall for your EC2 instances. Inbound rules control your example's incoming traffic, and outbound rules control your example's outgoing traffic. The network interfaces are aligned with the security classes.
Again the Terraform code can be found below:
resource "aws_security_group" "naitik2_sg" {
name = "naitik2_sg"
vpc_id = "${aws_vpc.naitik2_vpc.id}"
ingress {
description = "allow_http"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0"]
}
ingress {
description = "allow_ssh"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "allow_icmp"
from_port = 0
to_port = 0
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "allow_mysql"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "naitik2_sg"
}
}
Bastion Host for this security group -
resource "aws_security_group" "bastion_ssh_only" {
depends_on=[aws_subnet.naitik2_public_subnet]
name = "bastion_ssh_only"
description = "It allows bastion ssh inbound traffic"
vpc_id = aws_vpc.naitik2_vpc.id
ingress {
description = "allow bastion with ssh only"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "bastion_ssh_only"
}
}
Step 7: In this step, we will be creating another security group for launching MySQL. This security group will keep MySQL accessible only through WordPress and not through outside world.
The Terraform code for the same is:
resource "aws_security_group" "naitik2_sg_private" {
name = "naitik2_sg_private"
vpc_id = "${aws_vpc.naitik2_vpc.id}"
ingress {
description = "allow_mysql"
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = [aws_security_group.naitik2_sg.id]
}
ingress {
description = "allow_icmp"
from_port = -1
to_port = -1
protocol = "icmp"
security_groups = [aws_security_group.naitik2_sg.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "naitik2_sg_private"
}
}
Bastion Host for this security group -
resource "aws_security_group" "bastion_host_sql_only" {
depends_on=[aws_subnet.naitik2_public_subnet]
name = "bastion_with_ssh_only"
description = "It allows bastion host with ssh only"
vpc_id = aws_vpc.naitik2_vpc.id
ingress {
description = "bastion host ssh only "
from_port = 22
to_port = 22
protocol = "tcp"
security_groups=[aws_security_group.bastion_ssh_only.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "bastion_with_ssh_only"
}
}
Step 8: Next, we will be creating a NAT gateway to connect our VPC/Network to the internet world. NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). But first, you need to launch a NAT instance in order to enable NAT for instances in a private subnet.
resource "aws_eip" "naitik2-ip" {
vpc = true
public_ipv4_pool = "amazon"
}
output "new_output" {
value= aws_eip.naitik2-ip
}
resource "aws_nat_gateway" "naitik2_nat_gw" {
depends_on = [aws_eip.naitik2-ip]
allocation_id = aws_eip.naitik2-ip.id
subnet_id = aws_subnet.naitik2_public_subnet.id
tags = {
Name = "naitik2_nat_gw"
}
}
resource "aws_route_table" "vp_private_subnet_for_rt" {
depends_on = [aws_nat_gateway.naitik2_nat_gw]
vpc_id = aws_vpc.naitik2_vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.naitik2_nat_gw.id
}
tags = {
Name = "vp_private_subnet_for_rt"
}
}
resource "aws_route_table_association" "vp_private_subnet_for_rt_association" {
depends_on = [aws_route_table.vp_private_subnet_for_rt]
subnet_id = aws_subnet.naitik2_private_subnet.id
route_table_id = aws_route_table.vp_private_subnet_for_rt.id
}
Step 9: Now, we are ready to go. We launch our WordPress and MySQL instances using all the resources that we have created above.
WordPress:
resource "aws_instance" "wordpress" {
ami = "ami-ff82f990"
instance_type = "t2.micro"
key_name = "naitik2_key"
subnet_id = "${aws_subnet.naitik2_public_subnet.id}"
security_groups = ["${aws_security_group.naitik2_sg.id}"]
associate_public_ip_address = true
availability_zone = "ap-south-1a"
tags = {
Name = "naitik2_wordpress"
}
}
MySQL:
resource "aws_instance" "sql" {
ami = "ami-08706cb5f68222d09"
instance_type = "t2.micro"
key_name = "naitik2_key"
subnet_id = "${aws_subnet.naitik2_private_subnet.id}"
availability_zone = "ap-south-1a"
security_groups = ["${aws_security_group.naitik2_sg_private.id}"]
depends_on = [aws_security_group.bastion_host_sql_only,aws_security_group.bastion_ssh_only]
tags = {
Name = "naitik2_sql"
}
}
Bastion Host
resource "aws_instance" "bastion_host" {
depends_on=[aws_security_group.bastion_ssh_only]
ami = "ami-08706cb5f68222d09"
instance_type = "t2.micro"
key_name = "task4"
subnet_id= aws_subnet.naitik2_public_subnet.id
vpc_security_group_ids=[aws_security_group.bastion_ssh_only.id]
tags = {
Name = "bastion_host"
}
}
Step 10: Now, we run our terraform code. For doing so, we first run the command terraform init. This will download the necessary plugins.
Then, we run the command terraform apply --auto-approve. This will run the code and create the mentioned resources on the configured AWS Cloud.
Soon, we see that all our resources are added!
Now, we go to our AWS dashboard & see our WordPress & MYSQL running in the EC2 section.
And congratulations, you have successfully solved the problem statement, give yourself a pat on your back, and see you next time.
Goodbye!!!