Secure AWS Infrastructure for WordPress and MySQL

In my last aws article, we have built complete AWS Infrastructure from VPC to EC2 and Deployed WordPress with MySQL Database Successfully but we have a challenge that our MySQL Database Instance can’t Connect to the Internet for Updating or Downloading Something. So we solve this challenge using NAT Gateway and EIP Service of AWS.

Also in that scenario, we can’t connect to our MySQL Database instance from the public world i.e. we can’t connect to it over SSH and run desired commands. In that scenario, our MySQL instance is not accessible from the public world but it is accessible in VPC Internal Network. So here we use Bastion Host to connect with MySQL over SSH. We'll Launch Bastion Host in Public Subnet so that we can connect to it from public world and then from this Bastion Host we can connect to our MySQL Database Instance through Internal VPC Network.

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration. For example, you can use a bastion host to mitigate the risk of allowing SSH connections from an external network to the Linux instances launched in a private subnet of your Amazon Virtual Private Cloud (VPC).

Here you can get my terraform code which is divided into different modules and multiple files. Now let’s see what each module and file is doing.

variables.tf — This terraform file contains all the variables that are used to build the complete aws infrastructure

main.tf — This is main terraform file that has providers and outputs. Also, all other modules that are used are imported here.

VPC Module :-

This Module is for creating and configuring VPC Resources in AWS

vpc-and-subnets.tf — This terraform file is to create a VPC and two Subnets (Public Subnet and Private Subnet)

rt-and-gw.tf — This will create Internet Gateway, NAT Gateway, and Route Table. After that, it will also associate Route Table with Subnets.

EC2 Module :-

This module is for creating and configuring EC2 Resources in AWS

key-and-sg.tf — This terraform file will create key-pair and Security Groups for us. This will create three Security Groups for WordPress, MySQL, and Bastion Host.

instances.tf — This is the terraform code that launches the WordPress and MySQL instance for us. It will launch WordPress in Public Subnet and MySQL in Private Subnet. It will also launch Bastion Host in Public Subnet.

On Applying Terraform Code :-

Now after writing complete terraform code we just need to apply it using “terraform apply” command and now terraform start building our Infrastructure.

Finally, we can see that 20 resources are created which include VPC, Subnets, Internet Gateway, Route Table, Key-Pair, Security Groups, Instances, etc. And in the output, it also gives the Private DNS Name of Database host i.e. MySQL which we will use while configuring the WordPress site and IP of Bastion Host.

Terraform Apply

Here is the status of the VPC Dashboard before and after applying the terraform code. We can clearly see that after applying the number of VPC resources is increased.

VPC Dashboard

Here are VPCs, One is the default which is provided by AWS and the Other one is that we have created just now using terraform.

VPCs

These are Subnets and two of them are just created in our VPC (One is Public and the other one is Private)

Subnets

Here is my Internet Gateway that is created and attached to VPC

Internet Gateway

One Elastic IP Address is also allocated.

Elastic IP

Here is our NAT Gateway through which our MySQL Database Instance can connect to the internet and is able to download something. And that EIP which is created just before is associated with this NAT Gateway.

NAT Gateway

Two Route Tables are also created. One of them is associated with Public Subnet (Route to Internet Gateway) and the Other is associated with Private Subnet (Route to NAT Gateway)

Route Tables

Three security groups are also created, one for WordPress which allows clients to connect to WordPress Site, one is for MySQL Instance which allows WordPress Instance to connect to MySQL Database to store data and Bastion Host to connect it over SSH and the last Security Group is for bastion host which allow us to connect it over SSH

Security Groups

One Key-pair is also created and using this we can log in to our WordPress, Bastion Host, and MySQL Instances over SSH.

Key-Pairs

Here are our three instances running MySQL, WordPress and Bastion Host. As WordPress and Bastion Host are running in Public Subnet so Pubilc IP is associated with them, but MySQL is running in Private Subnet so we can see that there is no Public IP associated with it.

EC2 Instances

Finally, We are connected to our WordPress. Now we can configure and use it.

WordPress

Also, we can see that we are unable to connect with MySQL Database Instance from Public World. So our database is Secure from Attacks.

Can't Connect to DB from Public

But if we want to update something in our database then we can do SSH on it from Bastion Host. So we log in to our Bastion Host which is running in our Public Subnet and from that Bastion Host we can do SSH over our MySQL Database Instance and can run commands in it. Also, we can see that our MySQL Instance is pinging to Google, it shows that our Database Instance can connect to the internet for doing some updates or to download something.

Using Bastion Host

At Last, I conclude my article in the Hope that it will help you, Thanks!!