In this article we will demonstrates the basic steps necessary to build a two-tiered Wordpress application using Virtual Private Cloud. Our VPC network topology will look like this:
We have selected Wordpress for this example since it is popular and easy to install, but the general process is applicable to any web application that uses a database for content storage.
Server Provisioning
Create two Ubuntu 18.04 servers that are members of the same VPC. Our web server should have an external IP address (the default), while our database server should not.
Here is what my configuration looks like in mPanel:
Note that db.example does not have a public IP address.
Accessing the database server
To install MySQL on our database server, we need to connect to it and issue the appropriate SSH commands. However, our database server does not have a public IP so instead we must connect through our web server. This method of accessing our private second-tier is sometimes called using a jumpbox or a bastion host.
user@office:~$ ssh –A root@43.229.63.239 Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic x86_64) * Documentation: https://help.ubuntu.com/ # ssh root@10.240.0.29 Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic x86_64) * Documentation: https://help.ubuntu.com/ root@db:~#
(Here I have used SSH key authentication to login as root; if you have not set this up login as user "vps" and provide the password when prompted)
Because the database server does not have a public IP it does not have internet access, so installing MySQL will fail:
root@db:~# apt-get install mysql-server [snip] 0 to upgrade, 13 to newly install, 0 to remove and 0 not to upgrade. Need to get 9,007 kB of archives. After this operation, 96.8 MB of additional disk space will be used. Do you want to continue? [Y/n] y 0% [Connecting to mirror.mammothvps.com.au]
With no internet access, apt-get simply hangs until we press CTRL+C to abort.
Providing outbound (NAT) internet access
To install packages, we need to allow our database server to make outbound requests to the internet. This requires three changes:
- Use mPanel to enable the web server to route
- Configure our VPC route table to send requests through our web server
- Configure our web server to provide NAT functionality
Enable routing in mPanel
Click into the mPanel dashboard for the web server. Down the left hand side there is a section labelled Network:
To let our web server provide NAT functionality, Source/Dest Check must be disabled. Click the "Enabled" link and disable the check.
Configure the VPC route table
From the "Services" page in mPanel, click the "Configure Routes" button. This displays the following screen, which I have already filled out:
Enter a new route with destination set to 0.0.0.0/0, and the target as the internal IP of the web server. Click "Save and Apply" to update the VPC configuration.
Configure web server to enable NAT
To configure NAT on the web server, connect to it via SSH and run the following commands:
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf sysctl -p iptables -t nat -A POSTROUTING -s 10.240.0.0/16 -j SNAT --to-source 10.240.0.5 apt-get install iptables-persistent # say 'yes' when asked whether to save existing rules
(You will need to insert your web server's internal IP on the third line)
With these three steps completed, we now have a fully functioning two-tier VPC environment and can proceed with our database installation.
Installing MySQL
SSH to your web server, and from there SSH into your database server:
user@office:~$ ssh –A root@43.229.63.239 Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic x86_64) * Documentation: https://help.ubuntu.com/ # ssh root@10.240.0.29 Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic x86_64) * Documentation: https://help.ubuntu.com/ root@db:~#
Now we can install MySQL server:
apt-get update apt-get install -y mysql-server
You can leave the MySQL root password blank when prompted.
By default, MySQL will only listen for connections on the same server. Since we want to allow our web server to connect to the database server and are protected by the VPC environment, we instead want to listen for connections from "anywhere" (within the VPC):
sed -i 's/127.0.0.1/0.0.0.0/g' /etc/mysql/mysql.conf.d/mysqld.cnf service mysql restart
We need a Mysql account for Wordpress to connect to the database with:
# mysql -u root create database wordpress; create user 'wordpress'@'%' identified by 'MyPassword!'; grant all privileges on wordpress.* to 'wordpress'@'%'; exit
Finally, exit your SSH database connection so you are back on your web server.
root@db:~# exit logout Connection to 10.240.0.29 closed. root@web:~#
Installing Apache
To use Wordpress we need a suitable environment, so we will install Apache, PHP, and the MySQL library:
apt-get update apt-get install -y apache2 libapache2-mod-php php-mysql
Installing Wordpress
Ubuntu puts the default web site into /var/www/html, so first we remove that and then download Wordpress:
cd /var/www/html rm index.html wget https://wordpress.org/latest.zip apt-get install -y unzip </dev/null unzip latest.zip mv wordpress/* . rmdir wordpress chown www-data -R .
Configuring WordPress
In your web browser, go to the web server's public IP as shown in mPanel and you will see the welcome screen:
Click 'Let's go!' and you will be given this database configuration screen:
Now make the following changes:
Change the Username to wordpress
Change the Password to the value you chose earlier when create the MySQL user account (MyPassword! in the example given)
- Change the Database Host to the internal IP of the database server (as shown in mPanel).
Click Submit, and your VPC Wordpress install is ready for use.