Create a web portal on AWS through terraform also provide internet access to private subnet

6 min readOct 14, 2020

Problem Statement

We have to create a web portal for our company with all the security as much as possible. So, we use Wordpress software with dedicated database server. Database should not be accessible from the outside world for security purposes. We only need to public the WordPress to clients also add an additional feature to be added that is NAT Gateway to provide the internet access to instances running in the private subnet.

So here are the steps that we need to follow :

1. Write an Infrastructure as code using terraform, which automatically create a VPC.

2. In that VPC we have to create 2 subnets:

(a). public subnet [ Accessible for Public World! ]

(b). private subnet [ Restricted for Public World! ]

3. Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.

4. Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.

5. Create a NAT gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network

6. Update the routing table of the private subnet, so that to access the internet it uses the nat gateway created in the public subnet

7. Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 sothat our client can connect to our wordpress site. Also attach the key to instance for further login into it.

8. Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same. Also attach the key with the same.

Note: Wordpress instance has to be part of public subnet so that our client can connect our site. MySql instance has to be part of private subnet so that outside world can’t connect to it. Don’t forgot to add auto ip assign and auto dns name assignment option to be enabled.

Bastion Host ?

AWS Bastion Host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.

Terraform Code:

1. We are using aws as provider so we need to setup region and profile.

provider “aws” {
region = “ap-south-1”
profile = “aditya”
}

2. Create the key pair.

resource “tls_private_key” “adikey” {
algorithm = “RSA”
}
resource “aws_key_pair” “generated_key” {
key_name = “adikey”
public_key = “${tls_private_key.adikey.public_key_openssh}”
depends_on = [
tls_private_key.adikey
]
}
resource “local_file” “key-file” {
content = “${tls_private_key.adikey.private_key_pem}”
filename = “adikey.pem”
depends_on = [
tls_private_key.adikey
]
}

3. Create the VPC.

resource “aws_vpc” “myVPC” {
cidr_block = “192.168.0.0/16”
instance_tenancy = “default”
enable_dns_hostnames = “true”
tags = {
Name = “myVPC”
}
}
//Elastic IP
resource “aws_eip” “elastic_ip” {
vpc = true
}

4. Create two subnets.

// Public Subnet
resource “aws_subnet” “My_Public_Subnet” {
vpc_id = “${aws_vpc.myVPC.id}”
availability_zone = “ap-south-1a”
cidr_block = “192.168.1.0/24”
map_public_ip_on_launch = true
tags = {
Name = “My_Public_Subnet”
}
}
//Private Subnet
resource “aws_subnet” “my_subnet_private” {
vpc_id = “${aws_vpc.myVPC.id}”
availability_zone = “ap-south-1b”
cidr_block = “192.168.2.0/24”
tags = {
Name = “my_subnet_private”
}
}

5. Create the Internet Gateway

resource “aws_nat_gateway” “nat_gateway” {
allocation_id = “${aws_eip.elastic_ip.id}”
subnet_id = “${aws_subnet.My_Public_Subnet.id}”
depends_on = [ aws_nat_gateway.nat_gateway ]
}

6. Create the route table.

resource “aws_route_table” “my_route_table” {
vpc_id = “${aws_vpc.myVPC.id}”
route {
cidr_block = “0.0.0.0/0”
gateway_id = “${aws_internet_gateway.My_IG.id}”
}
tags = {
Name = “my_route_table”
}
}
resource “aws_route_table” “nat_gateway_route” {
vpc_id = “${aws_vpc.myVPC.id}”
route {
cidr_block = “0.0.0.0/0”
gateway_id = “${aws_nat_gateway.nat_gateway.id}”
}
tags = {
Name = “nat_gateway_route”
}
}

7. Connect the route table to subnet.

//Connect to public subnet
resource “aws_route_table_association” “my_route_table_association” {
subnet_id = aws_subnet.My_Public_Subnet.id
route_table_id = aws_route_table.my_route_table.id
}
// Connect to private subnet
resource “aws_route_table_association” “nat_asso” {
subnet_id = aws_subnet.my_subnet_private.id
route_table_id = aws_route_table.nat_gateway_route.id
}

8. Create Security group for instance.

//Wordpress Security Group
resource “aws_security_group” “Security_Group_Word_Press” {
name = “Security_Group_Word_Press”
description = “Allow HTTP inbound traffic”
vpc_id = “${aws_vpc.myVPC.id}”
ingress {
description = “http”
from_port = 80
to_port = 80
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
ingress {
description = “ssh”
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
ingress {
description = “https”
from_port = 443
to_port = 443
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”]
}
tags = {
Name = “Security_Group_Word_Press”
}
}
//Bastion Host Security Group
resource “aws_security_group” “Security_Group_BastionHost” {
name = “Security_Group_BastionHost”
description = “ssh_bh”
vpc_id = “${aws_vpc.myVPC.id}”
ingress {
description = “ssh”
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”]
}
tags = {
Name = “Security_Group_BastionHost”
}
}
//MySQL Security Group
resource “aws_security_group” “Security_Group_MySQL” {
name = “Security_Group_MySQL”
description = “mysql”
vpc_id = “${aws_vpc.myVPC.id}”
ingress {
description = “mysql”
from_port = 3306
to_port = 3306
protocol = “tcp”
cidr_blocks = [ “0.0.0.0/0” ]
}
ingress {
description = “ssh”
from_port = 22
to_port = 22
protocol = “tcp”
security_groups = [ “${aws_security_group.Security_Group_BastionHost.id}” ]
}
egress {
from_port = 0
to_port = 0
protocol = “-1”
cidr_blocks = [“0.0.0.0/0”]
}
tags = {
Name = “Security_Group_MySQL”
}
}

9. Launch instances.

//Launch Wordpress Instance
resource “aws_instance” “WP_OS” {
ami = “ami-000cbce3e1b899ebd”
instance_type = “t2.micro”
key_name = aws_key_pair.generated_key.key_name
subnet_id = “${aws_subnet.My_Public_Subnet.id}”
vpc_security_group_ids = [ “${aws_security_group.Security_Group_Word_Press.id}” ]
tags = {

Name = “WPOS”

}
}
//Launch Bastion Host Instance
resource “aws_instance” “BastionHost_OS” {
ami = “ami-0e306788ff2473ccb”
instance_type = “t2.micro”
key_name = aws_key_pair.generated_key.key_name
subnet_id = “${aws_subnet.My_Public_Subnet.id}”
vpc_security_group_ids = [ “${aws_security_group.Security_Group_BastionHost.id}” ]
tags = {

Name = “BastionHostOS”
}
}
//Launch MySQL Instance
resource “aws_instance” “MySQL_OS” {
ami = “ami-0019ac6129392a0f2”
instance_type = “t2.micro”
key_name = aws_key_pair.generated_key.key_name
subnet_id = “${aws_subnet.my_subnet_private.id}”
vpc_security_group_ids = [ “${aws_security_group.Security_Group_MySQL.id}” ]
tags = {

Name = “MySQLOS”
}
}