0

My goal is to have a single EC2 instance containing both WordPress and its MySQL database on same VPC and have the WordPress available on the public subnet and MySQL on the private subnet. The purpose is to reduce MySQL exposure to public traffic without having to place it on a separate EC2 instance.

To achieve this I launched an EC2 instance in the public subnet and attached a network interface for the private subnet. I then installed WordPress and MySQL which by default installs on the public subnet.

What I'm not clear on is how to place the MySQL on the private subnet and accessible by WordPress. I tried a bind address to an IP within the private subnet. However, whenever I do, WordPress becomes inaccessible. If I switch the bind to the IP address of my instance WordPress works.

1
  • Which os and version do you use?
    – Guido
    Commented Apr 8 at 20:35

2 Answers 2

0

For a while now, a long time really ... MySQL only listens on the localhost anyway. It's even an objective in a few cloud sysops exams, I've heard? Just about every hosting operator has this in their own FAQ, because it's so common.

https://www.google.com/search?q=allow+mysql+remote+connection&newwindow=1

You need to edit your mysqld configuration file, names & locations may vary ... could be my.cnf or mysqld.cnf??? Anyways, locate the "bind-address" configuration variable and modify it. ADDITIONALLY, you need to modify grants as well, since most were originally created to permit user@localhost. After you modify grants and flush privileges, you have to allow traffic through the firewall. Almost any installation likely has one, be it on-prem or clouds. Make sure you allow tcp/3306 from specific IPs or allow anyone globally (if you have a deathwish or love to fly the window seats of 737MAXs)

So, to recap ...

  1. modify config
  2. grants/privileges
  3. poke holes in your firewall

Test & verify that what you did worked, document what you've done, why, with a ticket number and all that jazz ...

0

You can let WordPress run using nginx or apache and configure that those Web servers only serve WordPress sites on a public subne5/ip.

You can deny use a security group to deny MySQL from the Internet and allow locally from Webserver to mysql/mariadb.

But from a security and architectural point of view it is not ideal.

You can let mysql listen on a specific ip, and your os network config need to be have that available.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .