Introduction

📩 Note: This Project is a part of 13 week long DevOps Micro Intership(DMI). If you want to learn DevOps with hands-on practice and live projects for free, you can follow the YouTube Playlist by Pravin Mishra.

This is my first 2-tier application architecture deployment project. I have good experience working on static and monolithic applications, but I haven’t worked on a 2-tier application until now. This project is my first real exposure to RDS, VPC, subnets, route tables, and security groups.

I have always been curious about how networks and cloud services work because they are invisible and hard to “feel.” But after learning the concepts of networking and cloud services, I finally understand the basics. For the first time, I deployed a 2-tier application with RDS as the database server and an EC2 instance as the web server, utilizing VPC, subnetting, and security groups to make it more secure.

Project-Writeup

For this project, we need knowledge of EC2 instances, VPC, subnets and subnet groups, route tables, and security groups. We also need to create multiple private and public subnets and select multiple availability zones to ensure high availability of the resources. In this project, we’ll create EpicReads, a WordPress blog hosted on Amazon Web Services (AWS) using a Virtual Private Cloud (VPC), Linux EC2 instance, and a managed RDS MySQL database.

This guide walks through everything from network design to domain name setup, so you can replicate the architecture for your own projects.

🏗️ Part 1: Designing the Network – Creating an AWS VPC

A Virtual Private Cloud (VPC) is the foundation of any modern AWS deployment. Think of it as your own isolated data center inside AWS where you control subnets, routing, and access.

1️⃣ Create the VPC

  1. Log in to the AWS Management Console.

  2. From the region selector (top right), choose the region closest to your audience for better performance.

  3. In the search bar, type VPC and open the VPC Dashboard.

  4. Click Create VPC → VPC only.

  5. Give it a Name tag (for example EpicReads-VPC) and specify an IPv4 CIDR block—for instance 10.0.0.0/16.

  6. Leave Tenancy as Default.

  7. Review and click Create VPC.004-create-vpc.png

  8. Your private network is now ready and visible in the VPC Dashboard.

2️⃣ Add Public & Private Subnets

Subnets divide your VPC into smaller networks.

  • Public subnets host resources that need internet access (like our web server).
  • Private subnets host internal services (like databases).

  1. In VPC Dashboard → Subnets → Create Subnet.

  2. Select the EpicReads-VPC.

  3. Create at least:

    • One public subnet: Assign a CIDR block (e.g., 10.0.0.0/24) and choose an Availability Zone (AZ).

    • Two private subnet: Assign a different CIDR block (e.g., 10.0.1.0/24) and a different AZ to ensure high availability.

Tip: Using multiple AZs keeps your site online even if one AWS data center goes down.

3️⃣ Internet Gateway & Route Tables

Public subnets require a path to the internet.

Attach an Internet Gateway (IGW):

  1. Go to Internet Gateways → Create Internet gateway.

  2. Name it (e.g., EpicReads-IGW) and click on Create internet gateway.

  3. Select a newly created VPC and click on Attach to VPC and then choose your VPC from the list. Set Up Route Tables:

  4. Go to Route Tables → Create Route Table.

    • Create two tables: Public-RT and Private-RT.

  5. In Public-RT → Routes → Edit routes, add:

    • Destination: 0.0.0.0/0
    • Target: Your IGW.

  6. Go to Route tables → Select Public SubnetSubnet AssociationsEdit subnet associations.

  7. Under Subnet Associations, attach only the public subnet(s).

Result: Only public subnets can reach the internet; private subnets remain isolated.

4️⃣ Secure the Network with Security Groups

Security Groups act as virtual firewalls.

  1. Go to Security Groups → Create security group.
  2. Name it WebServer-SG.
  3. Add inbound rules:
    • HTTP (80) – Source: 0.0.0.0/0 (allow all users to access your site)
    • SSH (22) – Source: your IP address only (for secure administration) or 0.0.0.0 to allow traffic from any network.
  4. Add Outbound rules:
    • All traffic – Destination : 0.0.0.0(allow outgoing traffic to any destinations and protocols)

🖥️ Part 2: Launching the Web Server – Ubuntu EC2 Instance

Our next step is to launch a Linux EC2 instance inside the public subnet to host WordPress.

1️⃣ Launch the EC2 Instance

  1. In the AWS console, search EC2 → Launch Instance.

  2. Choose Ubuntu Server 24.04 LTS as the Amazon Machine Image (AMI).

  3. Select t3.micro (Free Tier eligible).

  4. Under Key pair, create a new key pair and download the .pem file.

  5. In Network settings:

    • Choose EpicReads-VPC and the public subnet.
    • Enable Auto-assign public IP.
    • Attach the WebServer-SG security group.

Click Launch Instance.

  1. Copy the Private IP address to access the EC2 instance through ssh.

2️⃣ Connect Securely via SSH

On your local machine:

  • Change the permissions of the SSH key to 400 (read permission for the owner and no permissions for the group or others), then log in to the server using the SSH key.
chmod 400 /path/to/your-key.pem
ssh -i /path/to/your-key.pem ubuntu@<EC2-Public-IP>

You’re now inside your cloud server!

🌐 Part 3: Installing WordPress on the EC2 Instance

1️⃣ Update & Install Apache

sudo apt update && sudo apt upgrade -y
sudo apt install apache2 -y
sudo systemctl start apache2
sudo systemctl status apache2

Test by visiting http://<EC2-Public-IP> in your browser.

2️⃣ Install PHP & MySQL Client

sudo add-apt-repository ppa:ondrej/php -y
sudo apt install -y mysql-server

This provides the PHP runtime and MySQL client tools required for WordPress.

3️⃣ Download and Configure WordPress

  1. Change the working directory to /var/www/html/.
cd /var/www/html

  1. Download the Wordpress package .
sudo wget https://wordpress.org/latest.tar.gz

3. unzip the Downloaded file latest.tar.gz.

sudo tar -xvzf latest.tar.gz

  1. change the ownership and permission of the directory /var/www/html/wordpress to user:group www-data.
sudo chown -R www-data:www-data /var/www/html/wordpress
sudo chmod -R 755 /var/www/html/wordpress

5. change the working directory to wordpressand create a wp-config.php file from wp-config-sample.php.

cd wordpress
sudo cp wp-config-sample.php wp-config.php

We’ll edit this file later with database credentials.

🗄️ Part 4: Creating a Managed MySQL Database with RDS

1️⃣ Create a DB Subnet Group

  1. In the AWS Console, search RDS → Subnet groups → Create DB Subnet group.
  2. Name it (e.g., epicreads-subnet-group), add a description, select EpicReads-VPC.
  3. Choose multiple subnets in different AZs for high availability.

2️⃣ Launch the Database

  1. Go to RDS → Databases → Create database.

  2. Choose:

    • Engine: MySQL 8.0.42
    • DB instance class: db.t4g.micro
    • Storage: 20 GB (General Purpose SSD)
    • Template: Free tier

  3. Under Settings:

    • Database identifier: database-1
    • Master username: admin
    • Auto-generate the password and store it securely.

  4. Network settings:

    • Select EpicReads-VPC.
    • Public access: No.
    • Choose the epicreads-subnet-group.

  5. Under VPC security groups, create a new group DB-SG.

3️⃣ Configure DB Security

Allow only the web server to connect:

  1. Go to Security Groups → DB-SG → Edit inbound rules.

  2. Add:

    • Type: MySQL/Aurora (3306)
    • Source: The WebServer-SG.

This ensures the database is private and accessible only from the EC2 instance.

Get the database endpoint from the RDS console.

On the EC2 instance:

export MYSQL_HOST=<your-db-endpoint>
mysql -u admin -p wordpress

Enter the password and check:

show databases;
exit;

Edit wp-config.php:

define('DB_NAME', 'wordpress');
define('DB_USER', 'admin');
define('DB_PASSWORD', '<your-password>');
define('DB_HOST', '<your-db-endpoint>');

For added security, generate unique keys at https://api.wordpress.org/secret-key/1.1/salt/ and replace the default keys in the config file.

5️⃣ Finalize WordPress Deployment

sudo cp -r wordpress/* /var/www/html/
sudo chown -R www-data:www-data /var/www/html
sudo systemctl enable apache2
sudo systemctl restart apache2

Visit http://<EC2-Public-IP>/wp-admin and complete the WordPress setup by choosing a site title, admin username, and password.

🎉 Your WordPress dashboard is live!

🌍 Part 5: Linking a Custom Domain via Cloudflare

To make your site accessible via a friendly URL:

  1. Log in to Cloudflare and open your domain dashboard.

  2. Go to DNS → Records → Add record.

  3. Select:

    • Type: A
    • Name: epicbook (or your preferred subdomain)
    • IPv4 address: <EC2-Public-IP>

  4. Save the record and wait for DNS propagation.

Now you can access your site at https://epicbook.yourdomain.com.

✅ Wrapping Up

You’ve successfully:

  • Built a secure AWS VPC with public and private subnets,
  • Deployed a Linux EC2 web server,
  • Created a managed MySQL database with RDS, and
  • Linked WordPress to a custom domain name.

This architecture delivers:

  • Scalability – Easily add more EC2 instances or upgrade the database.
  • Security – Database is private; only the web server can connect.
  • High Availability – Multi-AZ subnets protect against data center failures.

Next Steps

  • Enable SSL/TLS certificates using AWS Certificate Manager or Cloudflare.
  • Configure automated RDS backups.
  • Add a Content Delivery Network (CDN) for faster global performance.

💡 Takeaway: By combining AWS VPC, EC2, and RDS, you’ve built a production-ready WordPress site—perfect for growing blogs like EpicReads.

Happy cloud building! ☁️