Now that the major networking services have be configured, next we will configure the data layer and security services.
Create Encryption Key in Amazon KMS
AWS Key Management Service (AWS KMS) create and control keys used to encrypt or digitally sign data. We will use the KMS key to encrypt the AWS RDS MYSQL database. This resource is region specific, hence for this project the KMS key will be created in us-east-1 as with other AWS resource.
- In the Key Management Service dashboard, click on
create key
- Ensure
Symmetric
andEncrypt and decrypt
is check and click next -Enter a Name, description and Tag
Select yourself as administrator
Give yourself key usage permission
Click Next to review and Finish
Amazon RDS
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud.
Amazon RDS supports couple of database engines including MYSQL database needed in this project.
Create Subnet groups
The DB subnet group defines which subnet(s) of VPC the database instance would deploy to.
- Navigate to the Amazon RDS dashboard
- In the left menu, click on subnet groups
- Click on create subnet group
- Enter Name, description and select VPC
- Select availabity zone us-east-1a and us-east-1b
- Select the subnet 10.0.5.0/24 and 10.0.6.0/24 as seen in the diagram.
- Click create
Create RDS MySql database
- Navigate to the Amazon RDS dashboard
- Create database
- Under Engine options - select
MySql
- Availability and durability - select Free tier (or Multi-AZ DB Cluster for high availability, data redundancy and increases capacity to serve read workloads)
- Enter a
Name
andpassword
for the database - Select the right VPC
- Ensure the database subnet group is selected
- Public access: No
- Select the
data layer security group
we created earlier. - Select
us-east-1a
under Availability Zone - Leave other default options
- Click create database
Create File Storage with EFS
Amazon Elastic File System (Amazon EFS) provides a simple, scalable, elastic file system for general purpose workloads for use with AWS Cloud services and on-premises resources.
It is serverless, elastic, set-and-forget file system that automatically grows and shrinks as you add and remove files with no need for management or provisioning.
- Navigate Amazon EFS dashboard
- Click on create file system
- Enter Name, tag and click next
- Select the appropriate VPC
- Select private subnet 1 & 2 (10.0.2.0/24 and 10.0.4.0/24)
- Next, review the setting and click on create
Access Point
One of the advantages of Amazon EFS is that, it is a shared file systems, meaning it can serve as a storage for more than one application. It keeps each application separate with the use of Access points. We will be hosting two applications.
Create Access Point for Two Applications
- Click the name of the file system
- Click on Access Points Tab and click create access point
- Enter the following details for WordPress application and create access point
Name: wordpress
Path: /wordpress
POSIX user ID, Group ID, Owner user ID, group ID: 0
Access point permissions: 0755
Tag - Name: wordpress-ap
The second application is named Tooling
- Enter the following details for Tooling application and create access point
Name: tooling
Path: /tooling
POSIX user ID, Group ID, Owner user ID, group ID: 0
Access point permissions: 0755
Tag: Name: tooling-ap
SSL Certificate
Amazon Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.
Create certificate
- In the ACM dashboard click on Request a certificate
- Ensure Request a public certificate is selected and click next
- Use a wildcard ("") as the Fully qualified domain name ("".yourdomain.xx)
- Accept the default values and click Request
- Next Click List Certificate in the left menu
- Click on the certificate you just created
- Click on Create records in Route 53
- Click on Create records
If you purchased your domain externally, you need to create a hosted zone in Route 53 and updated the DNS records.
After a few minute the certificate would be validated and issued.
Next, let's create AMI's for the web application.
Watch out for the concluding implementation.
Top comments (0)