Part 1: How I Built a cPanel Hosting Environment on Amazon AWS

People argue for and against building a production hosting environment on top of cloud services such as Amazon’s AWS. I recently made the decision to migrate my entire hosting infrastructure from co-located dedicated hardware to a full implementation built entirely on top of Amazon’s Web Services.

I will be releasing a four part series detailing the tricks I’ve learned in my own migration to AWS and walking you through setting up your own full service hosting environment within the AWS eco-system, all while still leveraging the power of cPanel, WHM, and DNSONLY.

I chose to use AWS, more specifically EC2, VPC and S3, for its rapid deployment, unlimited scaling, load balancing, and global distribution abilities. Working with AWS, I started to realize just how powerful it could become.

I started this challenge with a few key questions: What are the benefits and the challenges one would face working in an environment like this? All of our servers run instances of cPanel/WHM, so what are the difficulties in setting up cPanel in an AWS environment?

Amazon’s AWS platform is built behind a NAT infrastructure, so inherently, configuring cPanel for a NAT used to be an elaborate ballet of duct taped scripts and hooks. However, with cPanel 11.39, I’ve been able to seamlessly migrate my entire infrastructure ( 30+ instances ) from a dedicated environment to AWS without any misstep.

The result is a solid hosting architecture using Amazon VPC (Virtual Private Cloud), Amazon EC2 (Elastic Cloud Compute) and Amazon S3 (Simple Storage Service), built with cPanel/WHM/DNSONLY that not only works on AWS, but makes deployment and provisioning of new servers unbelievably rapid and simple.


Below is a quick overview of the architecture implemented as well as instance types used for provisioning instances. While I can not link directly to specific AMIs (Amazon Machine Images), selecting your desired operating system and getting cPanel/WHM installed is a straightforward procedure.


Assumptions

  • First, you must have a working knowledge of the command line, networking, Amazon AWS, and cPanel/WHM/DNSONLY.
  • Second, this model will run two dedicated nameservers (cPanel DNSONLY), the node servers will not be running DNS and will be configured in a cluster.
  • Third, I won’t be going over the registration process of AWS, you need to already have an active account.

Some instructions below are borrowed from Amazon’s AWS User Guide.


AWS Diagram

A Representation of the Basic Network Architecture


This Lesson Includes

  • Creating a new Amazon VPC Instance
  • Defining subnet scope
  • Creating and defining Security Groups

Setup the VPC, Subnet, & Internet Gateway:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Click “VPC Dashboard” in the navigation pane.
  3. Locate the “Your Virtual Private Cloud” area of the dashboard and click “Get started creating a VPC“, if you have no VPC resources, or click “Start VPC Wizard“.
  4. Select the first option, VPC with a Single Public Subnet Only, and then click Continue.

Case1_Wizard_Page

  1. The confirmation page shows the CIDR ranges and settings that you’ve chosen. Since this is going to be a small network, click “Edit VPC IP CIDR Block” and change the value to “10.0.0.0/24“. This gives us 251 useable IPs on the gateway.
  2. Click “Create VPC” to create your VPC, subnet, Internet gateway, and route table.

Case1_Wizard_Summary


Create Security Groups

Security Groups are essentially Firewall Rules that can be applied on a per-instance basis. We are going to create two primary Security Groups, one for Name Servers and one for Web Servers. Of course, your specific scenario will differ from the one represented here, so feel free to create as many Security Groups as needed.

In my use case scenario, I established a Security Group for Name Servers, Shared Web Servers, and Dedicated VPSs. Again, tailor these to meet your needs.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Click “Security Groups” in the navigation pane.
  3. Click the “Create Security Group” button.
  4. Specify NS_SG as the name of the security group, and provide a description. Select the ID of your VPC from the “VPC” menu, and then click “Yes, Create“.
  5. Click the “Create Security Group” button.
  6. Specify VS_SG as the name of the security group, and provide a description. Select the ID of your VPC from the “VPC” menu, and then click “Yes, Create“.
  7. Select the “NS_SG” security group that you just created. The details pane includes a tab for information about the security group, plus tabs for working with its inbound rules and outbound rules.

On the “Inbound” tab, do the following:

  1. Select “All Traffic” from the Create a new rule list, make sure that Source is “0.0.0.0/0“, and then click “Add Rule“.
  2. Click “Apply Rule Changes” to apply these inbound rules.

On the “Outbound” tab, do the following:

  1. All Traffic” is allowed by default, we will temporarily keep this rule.

Complete the same steps above for the “VS_SG” you created.

If you’ve made it this far, you’re probably half way to a panic attack wondering why we’ve opened up all inbound and outbound ports. Each environment’s needs for port availability will obviously be unique, but for most standard cPanel/WHM installations, you can have a look at this informative article, Getting The Most Out of Your System’s Firewall,  detailing commonly used ports by cPanel and its bundled services and then choose to open or close the ports at the firewall level accordingly.

Alternately, you can keep all inbound/outbound traffic at the firewall level as pass-through (as detailed above) and handle your firewall at the instance level with a software based firewall.

cPanel supports numerous software based firewalls that are freely available to download and install, personally I use and highly recommend ConfigServer Security & Firewall. It’s dead simple to install and I recommend running the security scan once you have it configured to ensure you’ve taken extra steps in hardening your systems.


Up Next

  • Creating and Launching Name Server Instances Into Your New VPC
  • Configuring your Name Server
  • Basic Cluster Configuration

This entry was posted in Tips & Tricks and tagged , , , , , . Bookmark the permalink.
  • tom phan

    can you help me install to amazon cloud ?