In this code pattern we will demonstrate using IBM Cloud Schematics with Schematics Workspace (HashiCorp Terraform) and Schematics Action (Red Hat Ansible) to automate infrastucture deployment and configuration for a multitier architecture that leverages IBM Cloud Virtual Private Cloud for public cloud isolation and separates the web/application and data tiers by deploying VSIs into isolated subnets across different availability zones with network isolation defined using Security Groups and ACLs. This automated approach leverages Solution Tutorial - Use Virtual Servers to build highly available and scalable web app.
Infrastructure features used include:
- VPC public cloud isolation.
- Logical network isolation using Security Groups and ACLs.
- Layers on isolated subnets across zones.
- RFC1918 private bring-your-own-IP addresses.
- Global DDOS and Global Load Balancing.
- Bastion and VPN for secure connectivity between on-premise and VPC.
- SysDig and LogDNA for infrastructure and application monitoring.
Application products used include:
- LAMP stack with Linux, MySQL, and PHP.
- Apache is used as the Web Server.
- WordPress (popular web, blog and e-commerce platform) demonstrates horizontal scalability across zones.
- MySQL (typical open source database) demonstrates multiple database servers and replication strategy across zones.
When you have completed this code pattern, you will understand:
- How to provision and configure a working VPC environment.
- How to create Terraform scripts and use Schematics Workspace to provision infrastructure.
- How to create Ansible playbooks and use Schematics Action to configure infrastructure.
- Users access website from Internet.
- The website invokes Global LB.
- Global LB invokes Public ALB.
- Public ALB balances load to frontend VSIs across zones.
- Subnets have egress-only access via Public Gateway to Internet.
- Frontend VSIs invoke backend VSIs.
- Enterprise users access the VSIs via Floating IP to Bastion Host.
- Enterprise users/apps can also access the VSIs via VPN connection.
- Users access website from Internet.
- The website invokes Global LB.
- Global LB invokes Public ALB.
- Public ALB balances load to frontend VSIs across zones.
- Frontend VSIs have Apache and Wordpress configured to implement the website.
- Frontend VSIs use the source database in the backend VSI.
- (Future) Frontend VSIs use the replica database in the backend VSI when necessary.
- (Future) Source and replica Databases are configured for replication across zones.
- Clone repo.
- Configure credentials.
- Create Schematics Workspace.
- Create Schematics Action.
- Apply Schematics Workspace.
- Run Schematics Action.
- Validate Internet Service.
Clone the codepattern-multitier-vpc
repo locally. In a terminal, run:
git clone https://github.com/IBM/codepattern-multitier-vpc
-
Make sure that you have the required IAM permissions to create and work with VPC infrastructure and Schematics permissions to create the workspace and deploy resources.
-
Generate an SSH key. The SSH key is required to access the provisioned VPC virtual server instances via the bastion host. After you have created your SSH key, make sure to upload this SSH key to your account in the VPC region and resource group where you want to deploy this example.
- Go to Schematics in cloud portal
- Select Workspaces
- Select Create workspace
- Enter a name
- Select Location
- Select Create
- Go to Settings
- Enter the GitHub URL
- Select a Terraform version (tested with terraform_v0.14)
- Select Save template information
- Go to Variables
- Review the Defaults for each variable
- Select Edit and uncheck "Use default" to customize values and select Save, in particular:
Name | Type | Default | Override value | Sensitive |
---|---|---|---|---|
ssh-public-key | string | your-key | Yes | |
vpc-name | string | webappvpc | your-webappvpc | No |
resource-group | string | webapprg | your-webapprg | No |
domain | string | mydomain.com | your-domain.com | No |
cis-instance-name | string | mydomain.com | your-domain.com | No |
- Go to Schematics in cloud portal
- Select Actions
- Select Create action
- Enter a name for your action
- Select Create to create your action
- Go to Settings page
- Enter URL of the Github repository
- Select Retrieve playbooks
- Select playbooks/site.yaml
- Select Advanced options
- Select Define your variables
- Select Add input value with the following:
Key | Value | Sensitive |
---|---|---|
dbpassword | securepassw0rd | Yes |
logdna_key | 143c30a06ac6dfae03b3a84259bf1b9e | Yes |
sysdig_key | 55e7f496-af78-4e0d-89f7-fa040e259ebd | Yes |
app_name | www.yourdomain.com | No |
source_db | 172.21.1.4 | No |
replica_db | 172.21.9.4 | No |
- Select Save
- Select Edit inventory
- Enter Bastion host IP from Terraform output
- Select Create Inventory
- Enter a name for your inventory
- Select Define manual with the following:
Inventory |
---|
[webapptier] |
172.21.0.4 |
172.21.8.4 |
[dbtier0] |
172.21.1.4 |
[dbtier1] |
172.21.9.4 |
- Select Create inventory
- Enter private SSH key (ensure newline at end of key is included)
- Check Use same key
- Select Save
- Go to Schematics in cloud portal
- Select Workspaces
- Select your workspace
- Select Generate plan to review plan
- Select View log to review the plan execution log
- Select Apply plan to provision plan
- Select View log to review the apply execution log
- Optionally review /var/log/cloud-init-output.log on each server
- Note the Outputs at the end of apply execution log:
Name | Value |
---|---|
app_name | www.your-domain.com |
bastionserver1 | bastionIP1 (public) |
bastionserver2 | bastionIP2 (public) |
ssh-bastionserver1 | ssh root@bastionIP1 |
ssh-bastionserver2 | ssh root@bastionIP2 |
replica_db | 172.21.9.4 |
ssh-replicadb | ssh -o ProxyJump=root@bastionIP2 root@172.21.9.4 |
source_db | 172.21.1.4 |
ssh-sourcedb | ssh -o ProxyJump=root@bastionIP1 root@172.21.1.4 |
webappserver1 | 172.21.0.4 |
ssh-webappserver1 | ssh -o ProxyJump=root@bastionIP1 root@172.21.0.4 |
webappserver2 | 172.21.8.4 |
ssh-webappserver2 | ssh -o ProxyJump=root@bastionIP2 root@172.21.8.4 |
- Go to Schematics in cloud portal
- Select Actions
- Select your action
- Select Run action
- Select View log to review the run action log
- Go to Internet Services in cloud portal
- Select the service name you specified in Terraform
- Wait for status to change from Pending to Active
- Note the NS records
This code pattern is licensed under the Apache License, Version 2. Separate third-party code objects invoked within this code pattern are licensed by their respective providers pursuant to their own separate licenses. Contributions are subject to the Developer Certificate of Origin, Version 1.1 and the Apache License, Version 2.