Launching a VPC with Public & Private subnet & NAT Gateway in AWS using Terraform!
This blog will guide you to create a VPC &2 subnets in it, one is public & another one is private. Then WordPress ec2 instance will be created in the public subnet, & a MySQL instance in the Private subnet. The MySQL instance will only allow the WordPress instance to connect and that too only for the database. Therefore to do any updates in the MySQL instance, one more ec2 instance known as Bastion Host or Jump Box will be created to access the MySQL instance. For MySQL to connect to the Internet, a NAT Gateway is created in the public subnet. Multiple Security groups are also created in this complete process to provide optimal security!
Ever wondered about launching the whole infrastructure in just one command, yes, it seems to be impossible, but it is possible. In this blog, I will guide you to construct the complete Pipeline described in the Introduction section of this blog.
The future is really about automation, it is a fact, it can be proved even by looking in the daily life examples, each & every one of us desires the things which are automated. No one wants to wait for even a second, everyone requires the work to be completed in lightning-fast speed, which is not possible if the work is being done manually. Therefore to achieve lightning-fast speed, work has to done automatically.
Without automation, today’s world can’t survive, in the present situation almost every company uses automation. For example, consider banks, they send the messages for each transaction, that process is automated right, it is not done manually. There are tons of examples present like these, & I am sure that most of you are experiencing these examples in your daily life.
Prerequisite for this Pipeline to Implement
- Some knowledge of AWS & Github.
- It would be a plus point for you if you are having the knowledge of JSON, because, in this Pipeline, HCL (Hashi Configuration Language) has been used which is the native language for Terraform, & it is very similar to JSON.
Explanation of Terraform
It is a tool developed by HashiCorp. Link for it is given below:
It is a tool that has the capability to handle the multi-cloud setup. It is a standardized tool, i.e. we have to write the code in one language only, but it will be automatically used to interact with multiple clouds (technically known as Terraform Providers). Its providers are listed in its documentation, the link for the same is present above.
Terraform works on declarative language, i.e. we just have to tell it what has to be done, it will automatically look into the situation & do that thing for us.
Terraform is intelligent because of the plugins for each of the providers it has, using them as API, it can interact with any of its providers.
Now, you are having more than enough knowledge required for this Pipeline, let’s begin the explanation of the complete automation Pipeline of Terraform.
List of steps in the Pipeline
Steps in the Pipeline:
- Create a Provider for AWS.
- Create an AWS key pair.
- Create a VPC (Virtual Private Cloud in AWS).
- Create a Public Subnet with auto public IP Assignment enabled in custom VPC.
- Create a Private Subnet in customer VPC.
- Create an Internet Gateway for Instances in the public subnet to access the Internet.
- Create a routing table consisting of the information of Internet Gateway.
- Associate the routing table to the Public Subnet to provide the Internet Gateway address.
- Creating an Elastic IP for the NAT Gateway.
- Creating a NAT Gateway for MySQL instance to access the Internet (performing source NAT).
- Creating a route table for the Nat Gateway Access which has to be associated with MySQL Instance.
- Associating the above-created route table with MySQL instance.
- Create a Security Group for the WordPress instance, so that anyone in the outside world can access the instance by SSH.
- Create a Security Group for Mysql instance which allows database access to only those instances who are having the WordPress security group created in step 9.
- Creating a Security Group for the Bastion Host which allows anyone in the outside world to access the Bastion Host by SSH.
- Creating a Security Group for the MySQL Instance which allows only bastion host to connect & do the updates.
- Launch a Webserver Instance hosting WordPress in it.
- Launch a MySQL instance.
- Launch a Bastion Host.
- Remote access to bastion host & from there access MySQL remotely and perform configuration.
- Remote access to WordPress and perform some configuration.
Code of the End-to-End Pipeline
In this pipeline, its explanation for each of the part is present in the code shown below with the help of comments for each part.
Step 1: Creating a Provider for AWS!
Step 2: Creating an AWS keypair!
Step 3: Create a VPC (Virtual Private Cloud in AWS)!
Step 4: Create a Public Subnet with auto public IP Assignment enabled in custom VPC!
Step 5: Create a Private Subnet in customer VPC!
Step 6: Creating an Internet Gateway!
Step 7: Create a routing table for Internet Gateway!
Step 8: Associate the routing table to the Public Subnet!
Step 9: Creating an Elastic IP for the NAT Gateway!
Step 10: Creating a NAT Gateway!
Step 11: Creating a Route Table for the NAT Gateway!
Step 12: Associating the Route table for NAT Gateway to Public Subnet!
Step 13: Create a Security Group for the WordPress instance!
Step 14: Create a Security Group for Mysql instance!
The security group created below allows the access to the database only from the instances associated with the WordPress Security Board.
Step 15: Creating a Security Group for the Bastion Host!
This security group will allow anyone in the world to access this instance through SSH.
Step 16: Creating a Security Group for the MySQL Instance which allows only bastion host to connect & do the updates!
Step 17: Launching a Webserver Instance hosting WordPress in it in public subnet!
Step 18: Launching a MySQL instance in the private subnet!
Step 19: Launching a Bastion Host instance in the public subnet!
Step 20: Remote access to the bastion host, from there access MySQL remotely, & perform some configuration!
First of all, use the bastion host public IP and login to it using the key attached to it using SSH. Dummy command to be followed:
ssh -i <Bastion host login Key Path> <username>@<IP of the bastion Host>Note: Generally username of the amazon linux 2 is ec2-user
Now copy the key for MySQL instance from the local system to the bastion host.
scp -i <MySQL Login key pair path> <path of file to copy> <Path where to copy>Note: The path where you copying the file should be accessible by the user. In my case command looks like this:cp -i MyKeyFinal.pem MyKeyFinal.pem ec2-user@<Bastion host IP>:/home/ec2-user/
Now, you must be landed on the MySQL Instance. Now, we have to perform configuration in MySQL so that WordPress can access the database.
First of all, open the MySQL Database by running the command “mysql”. Now, create a database in it I created one with the name of wordpress, by using the command “create database wordpress;”.
Now, we have to grant all privileges on this database, and for that run the command given below:
grant all privileges on wordpress.* to "wordpressUser"@"%" identified by "wordpressPassword";Note: This command will set the username & passowrd for WordPress as "wordpressUser" & "wordpressPassword" respectively.
After this, these settings/privileges has to be made permanent & for that run the command “flush privileges;”, & exit from the MySQL.
Now, run the services of MySQL and make them permanent by the commands given below.
service mysqld start
chkconfig mysqld onNote: The above will work in centos version <= 7 or any other equivalent Linux flavor. If any other version is used, then in some of them like RHEL 8, Amazon Linux 2, systemctl command will work.
Step 21: Remote access to WordPress and perform some final configuration to complete the setup!
This configuration will automatically configure WordPress to use MySQL by giving the host address & database access settings in the configuration file.
First of all, switch to the wordpress folder by running the command:
cd /var/www/html/wordpress/Now, edit one file named “wp-config-sample.php” by using vim editor. In this file, 4 fields need editing, which are displayed in the below image. [I already edited them, you have to edit them according to your settings of the database name, database host Ip, etc.
Now, you have to rename this file to “wp-config.php”, do the same by running the command given below.
mv wp-config-sample.php wp-config.phpNow, restart the services of the httpd (apache webserver) by running the command given below.
systemctl restart httpdNow, you just have to type the public IP of the wordpress instance in the URL window of the browser followed by the “/wordpress”.
For example: 15.5.7.57/wordpress
If the code shown till here is combined in one single file and been executed then it becomes the complete infrastructure as a code (IAAC).
This concludes our Pipeline!
Important Commands & Facts to run this code!
- You should have Terraform installed in your system!
- After copying this code in a file, save that file with the “.tf” extension.
- Run “terraform init” command.
- Then run “terraform apply” to create your complete infrastructure!
- Finally, when your work is completed, destroy your environment with the command “terraform destroy”.
I hope my article explains each and everything related to the complete end-to-end Terraform Pipeline of launching custom VPC with utmost security measures along with the explanation of the code, its configuration & execution of code. Thank you so much for investing your time in reading my blog & boosting your knowledge!
