Part 1: How I Built a cPanel Hosting Environment on Amazon AWS

People argue for and against building a production hosting environment on top of cloud services such as Amazon’s AWS. I recently made the decision to migrate my entire hosting infrastructure from co-located dedicated hardware to a full implementation built entirely on top of Amazon’s Web Services.

I will be releasing a four part series detailing the tricks I’ve learned in my own migration to AWS and walking you through setting up your own full service hosting environment within the AWS eco-system, all while still leveraging the power of cPanel, WHM, and DNSONLY.

I chose to use AWS, more specifically EC2, VPC and S3, for its rapid deployment, unlimited scaling, load balancing, and global distribution abilities. Working with AWS, I started to realize just how powerful it could become.

I started this challenge with a few key questions: What are the benefits and the challenges one would face working in an environment like this? All of our servers run instances of cPanel/WHM, so what are the difficulties in setting up cPanel in an AWS environment?

Amazon’s AWS platform is built behind a NAT infrastructure, so inherently, configuring cPanel for a NAT used to be an elaborate ballet of duct taped scripts and hooks. However, with cPanel 11.39, I’ve been able to seamlessly migrate my entire infrastructure ( 30+ instances ) from a dedicated environment to AWS without any misstep.

The result is a solid hosting architecture using Amazon VPC (Virtual Private Cloud), Amazon EC2 (Elastic Cloud Compute) and Amazon S3 (Simple Storage Service), built with cPanel/WHM/DNSONLY that not only works on AWS, but makes deployment and provisioning of new servers unbelievably rapid and simple.


Below is a quick overview of the architecture implemented as well as instance types used for provisioning instances. While I can not link directly to specific AMIs (Amazon Machine Images), selecting your desired operating system and getting cPanel/WHM installed is a straightforward procedure.


Assumptions

  • First, you must have a working knowledge of the command line, networking, Amazon AWS, and cPanel/WHM/DNSONLY.
  • Second, this model will run two dedicated nameservers (cPanel DNSONLY), the node servers will not be running DNS and will be configured in a cluster.
  • Third, I won’t be going over the registration process of AWS, you need to already have an active account.

Some instructions below are borrowed from Amazon’s AWS User Guide.


AWS Diagram

A Representation of the Basic Network Architecture


This Lesson Includes

  • Creating a new Amazon VPC Instance
  • Defining subnet scope
  • Creating and defining Security Groups

Setup the VPC, Subnet, & Internet Gateway:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Click “VPC Dashboard” in the navigation pane.
  3. Locate the “Your Virtual Private Cloud” area of the dashboard and click “Get started creating a VPC“, if you have no VPC resources, or click “Start VPC Wizard“.
  4. Select the first option, VPC with a Single Public Subnet Only, and then click Continue.

Case1_Wizard_Page

  1. The confirmation page shows the CIDR ranges and settings that you’ve chosen. Since this is going to be a small network, click “Edit VPC IP CIDR Block” and change the value to “10.0.0.0/24“. This gives us 251 useable IPs on the gateway.
  2. Click “Create VPC” to create your VPC, subnet, Internet gateway, and route table.

Case1_Wizard_Summary


Create Security Groups

Security Groups are essentially Firewall Rules that can be applied on a per-instance basis. We are going to create two primary Security Groups, one for Name Servers and one for Web Servers. Of course, your specific scenario will differ from the one represented here, so feel free to create as many Security Groups as needed.

In my use case scenario, I established a Security Group for Name Servers, Shared Web Servers, and Dedicated VPSs. Again, tailor these to meet your needs.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Click “Security Groups” in the navigation pane.
  3. Click the “Create Security Group” button.
  4. Specify NS_SG as the name of the security group, and provide a description. Select the ID of your VPC from the “VPC” menu, and then click “Yes, Create“.
  5. Click the “Create Security Group” button.
  6. Specify VS_SG as the name of the security group, and provide a description. Select the ID of your VPC from the “VPC” menu, and then click “Yes, Create“.
  7. Select the “NS_SG” security group that you just created. The details pane includes a tab for information about the security group, plus tabs for working with its inbound rules and outbound rules.

On the “Inbound” tab, do the following:

  1. Select “All Traffic” from the Create a new rule list, make sure that Source is “0.0.0.0/0“, and then click “Add Rule“.
  2. Click “Apply Rule Changes” to apply these inbound rules.

On the “Outbound” tab, do the following:

  1. All Traffic” is allowed by default, we will temporarily keep this rule.

Complete the same steps above for the ”VS_SG” you created.

If you’ve made it this far, you’re probably half way to a panic attack wondering why we’ve opened up all inbound and outbound ports. Each environment’s needs for port availability will obviously be unique, but for most standard cPanel/WHM installations, you can have a look at this informative article, Getting The Most Out of Your System’s Firewall,  detailing commonly used ports by cPanel and its bundled services and then choose to open or close the ports at the firewall level accordingly.

Alternately, you can keep all inbound/outbound traffic at the firewall level as pass-through (as detailed above) and handle your firewall at the instance level with a software based firewall.

cPanel supports numerous software based firewalls that are freely available to download and install, personally I use and highly recommend ConfigServer Security & Firewall. It’s dead simple to install and I recommend running the security scan once you have it configured to ensure you’ve taken extra steps in hardening your systems.


Up Next

  • Creating and Launching Name Server Instances Into Your New VPC
  • Configuring your Name Server
  • Basic Cluster Configuration

This entry was posted in Tips & Tricks and tagged , , , , , . Bookmark the permalink.
  • isalev

    Will this work with the full cPanel? Or only with the DNSONLY version?

    Thanks.

    • http://georgebohnisch.com/ George Böhnisch

      The tutorial will outline installation using cPanel DNSONLY as the name services provider, but the instructions could easily be used on a system that runs BIND or similar. Let me know if you have issues.

  • Anand Gupta

    Nice article. Looking forward to reading the entire range :)

  • Steven Munro

    I am eagerly awaiting the next part of this blog post. I am wishing you good luck in getting this to work on EC2. I have tried to set this up and one problem you will run into is the Private/Public address issue when serving virtualhosts. It is also not possible to add additional IP addresses to cPanel hosted on an EC2 (great for SSL Certs etc). Everything else is great however. But unless this IP address thing is fixed, it is pointless trying to create a hosting environment on AWS.

    • Todd Rinaldo

      That’s been resolved already and will be released in 11.40 in the fall. George used an early release of 11.40 to complete his migration.

      See Also: http://features.cpanel.net/responses/support-for-11-nat-installation-and-thus-vmware-vcloud-deployments

    • http://georgebohnisch.com/ George Böhnisch

      Steven, I’ve already successfully moved my entire infrastructure to EC2/AWS. I’ve been using it for about two months now without issue. It is definitely possible.

      • http://blog.rahulprasad.com/ Rahul Prasad

        Please complete the tutorial.

    • Matúš Mättin Nickel

      Steven, I’m using cPanel now for almost one year on Amazon without any particular problem. I have multiple SSL IPs assigned to vhosts and it’s work like a charm. Just need to assign more internal IP and setup DNS hook to force cPanel to use public IPs instead of private VPC. Btw cpanel performance on Amazon is extraordinary ;).

      • Abe Petrillo

        Matus, do you have more detail on getting the DNS working? I’ve been playing around with this and the solutions provided on this blog didn’t work for me (in part 2), Any useful guide you followed would be a great help.

        • Matúš Mättin Nickel

          Solution is simple. cpanel DNS working as should, only thing here is that your webserver have internal IP address and you need to return with nameservice service your external IP. So just change in WHM DNS section Zone template. For example in Simple zone %domain%. IN A (your EC2 public IP) and for changes in cpanel (like creating subdomains etc) you need to write post hook (http://docs.cpanel.net/twiki/bin/view/SoftwareDevelopmentKit/BasicUsageStandardizedHooks) for this. Also it is good to assign external IP as another IP address for your machine. It shouldn’t be primary, but you can use it to change wrong DNS records to right with IP Migration Wizard (do only first step from migration, so only update DNS records).

        • Matúš Mättin Nickel

          Btw if you need to use automatic IP assignment then you have to use /scripts/postwwwacct to do this (because workaround with zone template is just static).

  • http://blog.alessiopigliacelli.com Alessio

    why not create cpanel amis?

    • Todd Rinaldo

      cPanel will not release a supported version of 1:1 NAT beyond EDGE tier until at least September. At that time, it will make sense to release an official AMI.

      • PK Hunter

        Did this happen? How can we basically replicate the WHM/Cpanel environment as if it were hosted by EC2, not by Rackspace or MediaTemple? The whole shebang.

        • Todd Rinaldo

          You need cPanel 11.40 to get these features. To do this at the moment, you would have to be set to EDGE, tier, which is a beta level tier. We should be going to current in the next week or 2. See http://httpupdate.cpanel.net/ for what version each tier is currently at.

          • http://shanx.com/ NearlyNormal

            Thanks Todd. This is exciting news. I’m hoping someone will do a step by step, simple guide for installing that version of WHM/Cpanel on EC2 servers with “reserved instances”.

  • Shane Terpstra

    Waiting with eager anticipation, this is what we are looking at doing with our infrastructure as well and have been hesitant for all of the reasons you are saying aren’t an issue any longer (eg: NAT).

  • http://georgebohnisch.com/ George Böhnisch
  • Pingback: How I Built a cPanel Hosting Environment on Amazon AWS | create together.

  • Ali Can

    no need to deal with all of this

    go aws panel and click ec2. create new virtual machine cloudlinux with cpanel and good to go in less then 3 minutes.

    • Lee

      With an ancient version of WHM/cPanel deployed? No thanks. Never bake your software into an AMI.

  • stoicattempt

    Thanks for sharing your AWS experience!