Creating VPC, SUBNET, ROUTE TABLE, EIP, NAT-GATEWAY, INTERNET GATEWAY, And Launching MYSQL, WordPress Instance Over It Using Terraform.
What we are doing here …
1. Write an Infrastructure as code using Terraform, which automatically creates a VPC.
2. In that VPC we have to create 2 subnets:
3. public subnet [ Accessible for Public World! ]
4. private subnet [ Restricted for Public World! ]
5. Create a public-facing internet gateway to connect our VPC/Network to the internet world and attach this gateway to our VPC.
6. Create a routing table for Internet gateway so that instance can connect to the outside world, update and associate it with the public subnet.
7. Create a NAT gateway to connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network
8. Update the routing table of the private subnet, so that to access the internet it uses the nat gateway created in the public subnet
9. Launch an ec2 instance that has WordPress setup already having the security group allowing port 80 so that our client can connect to our WordPress site. Also, attach the key to an instance for further login into it.
10. Launch an ec2 instance that has MYSQL setup already with security group allowing port 3306 in a private subnet so that our WordPress VM can connect with the same. Also, attach the key with the same.
11. We create one Baston OS for maintenance purposes. It helps us login inside the mysql for future changes we do inside MySql instance.
Note:- WordPress instance has to be part of the public subnet so that our client can connect our site.
mysql instance has to be part of a private subnet so that the outside world can’t connect to it.
Don’t forget to add auto IP assign and auto DNS name assignment options to be enabled.
For prerequisites refer to my previous article. I explain everything from very Basic. Here is a link …
How we do…
$ We create one VPC in the ap-south-1 region.
$ We create two Subnets. One subnet has the Public access and one subnet has Private access. To make the subnet private we do not connect with the routing table.
$ We create one Internet Gateway to provide our VPC outside world connectivity. Without the internet gateway, we can’t send our packet into the public world.
$ We create one route table which we connect with the subnet 1a because we provide the public access to it. The process of attaching is called route table association.
NAT Gateway:- is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). It always requires one elastic IP. So we also create one EIP for that. Make sure always connect the NAT gateway with a public subnet. Because in our case only Subnet 1a has connected with an internet gateway.
$ Now we create one NAT gateway.
(Note:- Nat Gateway is not free service it will charge some money)
$ We create one more route table in which we connect with NAT.
$ Now create the 4 Security group/ 4 firewalls which allow only specific requests to go inside the instances and block the rest of them.
Baston OS/ Jump Box:- It is the OS/Instance we launch for the maintenance purpose only. Suppose we create one Instance which doesn't have public access because of some security purposes and we need to maintain it, to overcome this problem we create one Baston Os and launch it in a public subnet. We connect with this os and this os go inside the private subnet and connect with the instance which is running in private instance. The only challenge is, private instance also connects with one NAT gateway.
Security group 1:- We assign this SG to our WordPress. And only allow port 80. Because we want Client can only read/access our website.
Security group 2:- We assign this SG to our MySQL instance. And we Only want that it can only access by our Wordpess. So we allow only port no 3306 and this request only comes from SG1.
Security group 3:- We create this SG for Baston Os/Jump Box. We allow Port no 22 (SSH). Because we want that, we can access this Instance anywhere from the world.
Security group 4:- We create SG4 to allow that request which is coming from the SG3 only.
$ Lastly we create 3 instances. One for WordPress, Second for MySql, and Third for maintenance/Baston OS.
In MySQL instance, we attach 2 SG one allows the request to come from Wordpess and Another allows the request from Baston os.
$ Now we login inside the Baston os. This type of Consol will appear.
Now upload the key which is present in your system into Baston OS using any software. This helps us to connect with MySQL. In my case I use WinSCP.
In the password section select the advance option.
select your key which is in .ppk format. In the above step, we only connect our local system to the Baston os. When the connection is established then select the path where your key is present and drop to the other side. And now your key is copied from your local system to Baston os.
use cmd chmod 400 your_key_name. This cmd gives permission to your key to execute.
Now execute ssh -i your_key_name -l ec2-user your_private_ip_of_Mysql cmd.
You now login inside your private instance. For checking our instance has the outside connectivity or not. I run yum install docker cmd. And it is working fine.