Sep 2, 2020
HYBRID-MULTI-CLOUD(TASK-3)
Creating Two Subnets MySQL & WordPress in my Own VPC
Before the task lets talk about some services which we are going to use:-
What is VPC?
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
What is Subnet?
Subnet is a logical subdivision of an IP(VPC) network. The practice of dividing a network into two or more networks is called subnetting.AWS provides two types of subnetting one is Public which allow the internet to access the machine and another is private which is hidden from the internet.
What is Internet Gateway?
An Internet Gateway is a logical connection between an Amazon VPC and the Internet. Only one can be associated with each VPC.If a VPC does not have an Internet Gateway, then the resources in the VPC cannot be accessed from the Internet
What is Route Table?
A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. To put it simply, a route table tells network packets which way they need to go to get to their destination.Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet
A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway.
Statement:
We have to create a web portal for our company with all the security as much as possible.So, we use WordPress software with dedicated database server.
Database should not be accessible from the outside world for security purposes.
We only need to public the WordPress to clients.
So here are the steps for proper understanding!
Steps:
1) Write a Infrastructure as code using terraform, which automatically create a VPC.
2) In that VPC we have to create 2 subnets:
a) public subnet [ Accessible for Public World! ]
b) private subnet [ Restricted for Public World! ]
3) Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.
4) Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
5) Launch an ec2 instance which has WordPress setup already having the security group allowing port 80 so that our client can connect to our WordPress site.
Also attach the key to instance for further login into it.
6) Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our WordPress vm can connect with the same.
Also attach the key with the same.
Now,that we know what is a VPC,Subnet,Internet Gateway and Route Table we can start off with our hands-on part.
Configure AWS profile in Terraform
In order to use the AWS resources,we need to configure our AWS profile.
provider "aws"{
region = "ap-south-1"
profile = "mayank"}Create our own VPC
Here,we have created our own VPC with IP range 192.168.0.0/16.Don’t forget to enable DNS host names and DNS support while creating new VPC.
resource "aws_vpc" "main" {
cidr_block = "192.168.0.0/16"
instance_tenancy = "default"
enable_dns_support = true
enable_dns_hostnames = tuuetags = {
Name = "terra_vpc"
}
}
Create two Subnets in the new VPC
We have created two subnets,one of them in availability zone ap-south-1a and the other in availability zone ap-south-1b.
resource "aws_subnet" "subnet1" {
vpc_id = "${aws_vpc.main.id}"
cidr_block = "192.168.1.0/24"
map_public_ip_on_launch = true
availability_zone = "ap-south-1a"tags = {
Name = "public-subnet"
}
}
resource "aws_subnet" "subnet2" {
vpc_id = "${aws_vpc.main.id}"
cidr_block = "192.168.2.0/24"
map_public_ip_on_launch = false
availability_zone = "ap-south-1b"tags = {
Name = "private-subnet"
}
}In this section,the arguement map_public_ip_on_launch is very important.The subnet which has a true value for this arguement will act as Public Subnet.The instances in subnet-1(ap-south-1a) will be assigned a public IP on launch whereas the instances in subnet-2(ap-south-1b) will not be assigned a public IP on launch.
Create Internet Gateway for our VPC
resource "aws_internet_gateway" "gw" {
vpc_id = "${aws_vpc.main.id}"tags = {
Name = "terra-internet_gateway"
}
}
Create Route Table providing route to Internet Gateway
We need to create a new route table with a rule which directs traffic to our Internet Gateway.
resource "aws_route_table" "taskroute" {
vpc_id = "${aws_vpc.main.id}"route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.gw.id}"
}
tags = {
Name = "terra-route_table"
}
}Associate Route Table to Public Subnet
In order to make our Subnet public,we need to provide it a route to the Internet Gateway.This can be done by associating route table with the Public Subnet.
resource "aws_route_table_association" "a" {
subnet_id = aws_subnet.subnet1.id
route_table_id = aws_route_table.taskroute.id
}
With this our VPC is totally setup.Now we can launch WordPress and MySQL instances in the public and private subnets respectively.
Create AWS Key Pair
Every EC2 instance requires public key for ssh remote login.Here,we will generate a key-pair and create new AWS key pair using the resource aws_key_pair.
resource "tls_private_key" "test" {
algorithm = "RSA"
}
resource "local_file" "web" {
content = tls_private_key.test.public_key_openssh
filename = "redhatkey.pem"
file_permission = 0400
}
resource "aws_key_pair" "test_key" {
key_name = "redhatkey"
public_key = tls_private_key.test.public_key_openssh}Create Security Groups for WordPress and MySQL instances
The Security Group for WordPress has ingress rules allowing HTTP(Port 80) and SSH(Port 22).The MySQL Security Group has an inbound rule which allows access to only those instances which are a part of the WordPress Security Group.
resource "aws_security_group" "terra_s" {
name = "wpsg"
description = "Allow HTTP SSH inbound traffic"
vpc_id = "${aws_vpc.main.id}"ingress {
description = "Allow HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "Allow SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}tags = {
Name = "allow_tcp"
}
}resource "aws_security_group" "terra1_s" {
name = "mysqlsg"
description = "Allow MYSQL inbound traffic"
vpc_id = "${aws_vpc.main.id}"ingress {
description = "Allow MYSQL"
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = ["${aws_security_group.terra_s.id}"]
}egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}tags = {
Name = "allow_mysql"
}
}Launch EC2 instance with MySQL setup
Finally,we can launch our MySQL database server.We have launched the MySQL instance in the private subnet(subnet-2) so that it cannot be accessed by the public world.
resource "aws_instance" "myin1" {
ami = "ami-08f51256df22d9a82"
instance_type = "t2.micro"
key_name = aws_key_pair.test_key.key_name
vpc_security_group_ids = ["${aws_security_group.terra1_s.id}"]
subnet_id = "${aws_subnet.subnet2.id}" tags = {
Name = "MySQLOs"
}
}Launch EC2 instance with WordPress setup
Now,we will launch our WordPress server.We have launched the WordPress instance in the public subnet(subnet-1) so that it can be accessed by the public users/clients.
resource "aws_instance" "myin" {
ami = "ami-06aa3ba6f5ce2f2d0"
instance_type = "t2.micro"
key_name = aws_key_pair.test_key.key_name
vpc_security_group_ids = ["${aws_security_group.terra_s.id}"]
subnet_id = "${aws_subnet.subnet1.id}" tags = {
Name = "WPOs"
}
}Finally,we need to apply all this code from the command-line as follows
terraform applyFinally,we have our WordPress and MySQL instances set-up and running, we can see the first default page of WordPress using public IP of WordPress instance.
