In this article we will demonstrates the basic steps necessary to build a two-tiered Wordpress application using Virtual Private Cloud. Our VPC network topology will look like this:


https://www.binarylane.com.au/res/images/binarylane/vpc/public-private.png 


We have selected Wordpress for this example since it is popular and easy to install, but the general process is applicable to any web application that uses a database for content storage.


 

Server Provisioning

Create two Ubuntu 18.04 servers that are members of the same VPC. Our web server should have an external IP address (the default), while our database server should not.  

Here is what my configuration looks like in mPanel:





Note that db.example does not have a public IP address.


 

Accessing the database server

To install MySQL on our database server, we need to connect to it and issue the appropriate SSH commands. However, our database server does not have a public IP so instead we must connect through our web server. This method of accessing our private second-tier is sometimes called using a jumpbox or a bastion host.


user@office:~$ ssh –A [email protected]
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

# ssh [email protected]
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

root@db:~#


(Here I have used SSH key authentication to login as root; if you have not set this up login as user "vps" and provide the password when prompted)

Because the database server does not have a public IP it does not have internet access, so installing MySQL will fail:


root@db:~# apt-get install mysql-server
[snip]
0 to upgrade, 13 to newly install, 0 to remove and 0 not to upgrade.
Need to get 9,007 kB of archives.
After this operation, 96.8 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
0% [Connecting to mirror.mammothvps.com.au]


With no internet access, apt-get simply hangs until we press CTRL+C to abort.


   

Providing outbound (NAT) internet access

To install packages, we need to allow our database server to make outbound requests to the internet.  This requires three changes:

  1. Use mPanel to enable the web server to route
  2. Configure our VPC route table to send requests through our web server
  3. Configure our web server to provide NAT functionality



Enable routing in mPanel

Click into the mPanel dashboard for the web server. Down the left hand side there is a section labelled Network:





To let our web server provide NAT functionality, Source/Dest Check must be disabled. Click the "Enabled" link and disable the check.



Configure the VPC route table

From the "Services" page in mPanel, click the "Configure Routes" button. This displays the following screen, which I have already filled out:





Enter a new route with destination set to 0.0.0.0/0, and the target as the internal IP of the web server. Click "Save and Apply" to update the VPC configuration.



Configure web server to enable NAT

To configure NAT on the web server, connect to it via SSH and run the following commands:


echo net.ipv4.ip_forward=1  >> /etc/sysctl.conf
sysctl -p
iptables -t nat -A POSTROUTING -s 10.240.0.0/16 -j SNAT --to-source 10.240.0.5
apt-get install iptables-persistent  # say 'yes' when asked whether to save existing rules


(You will need to insert your web server's internal IP on the third line)


With these three steps completed, we now have a fully functioning two-tier VPC environment and can proceed with our database installation.


 

Installing MySQL

SSH to your web server, and from there SSH into your database server:


user@office:~$ ssh –A [email protected]
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

# ssh [email protected]
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

root@db:~#


Now we can install MySQL server:


apt-get update
apt-get install -y mysql-server


You can leave the MySQL root password blank when prompted.


By default, MySQL will only listen for connections on the same server. Since we want to allow our web server to connect to the database server and are protected by the VPC environment, we instead want to listen for connections from "anywhere" (within the VPC):


sed -i 's/127.0.0.1/0.0.0.0/g' /etc/mysql/mysql.conf.d/mysqld.cnf
service mysql restart


We need a Mysql account for Wordpress to connect to the database with:  


# mysql -u root
create database wordpress;
create user 'wordpress'@'%' identified by 'MyPassword!';
grant all privileges on wordpress.* to 'wordpress'@'%';
exit


Finally, exit your SSH database connection so you are back on your web server.


root@db:~# exit
logout
Connection to 10.240.0.29 closed.
root@web:~#


   

Installing Apache

To use Wordpress we need a suitable environment, so we will install Apache, PHP, and the MySQL library:


apt-get update
apt-get install -y apache2 libapache2-mod-php php-mysql


 

Installing Wordpress

Ubuntu puts the default web site into /var/www/html, so first we remove that and then download Wordpress:


cd /var/www/html
rm index.html
wget https://wordpress.org/latest.zip
apt-get install -y unzip </dev/null
unzip latest.zip
mv wordpress/* .
rmdir wordpress
chown www-data -R .


 

Configuring WordPress

In your web browser, go to the web server's public IP as shown in mPanel and you will see the welcome screen:





Click 'Let's go!' and you will be given this database configuration screen:




Now make the following changes:

  • Change the Username to wordpress

  • Change the Password to the value you chose earlier when create the MySQL user account (MyPassword! in the example given)

  • Change the Database Host to the internal IP of the database server (as shown in mPanel).


Click Submit, and your VPC Wordpress install is ready for use.