How to use Ansible for automated AWS provisioning

I’ve recently produced a series of articles aimed at startups, entrepreneurial solo developers, etc. wanting to take their first steps into Amazon Web Services (AWS) setups for app deployment:

I then wanted to move on from discussing manual setup via the GUI interface of the AWS web console, to DevOps-style command-line programmatic setup for automated provisioning of an AWS infrastructure for app deployment, i.e. infrastructure as code (IaC). I have therefore created a suite of Ansible playbooks to provision an entire AWS infrastructure with a Staging instance and an auto-scaled load-balanced Production environment, and to deploy a webapp thereon. The resulting set of Ansible AWS provisioning playbooks and associated files can be found in a repository on my GitHub, so go ahead and grab it from there if you want to try them out. Keep reading for information on how to set up and use the playbooks (and you can also refer to the README in the repo folder, which contains much of the same information).

With these playbooks, firstly the EC2 SSH key and Security Groups are created, then a Staging instance is provisioned, then the webapp is deployed on Staging from GitHub, then an image is taken from which to provision the Production environment. The Production environment is set up with auto-scaled EC2 instances running behind a load balancer. Finally, DNS entries are added for the Production and Staging environments.

Continue reading “How to use Ansible for automated AWS provisioning”

How to migrate an application to AWS with auto-scaled EC2 instances

For entrepreneurs, startups, and established companies trying out new projects, there hopefully comes a time when interest in the app increases such that incoming traffic levels start to rise significantly. This will likely necessitate various improvements to the infrastructure running the application so that it’s more robust, reliable and scalable.

The application may previously have been running on a cheap hosted server on a service like DigitalOcean, Linode or OVHcloud, or possibly even a single EC2 (Elastic Compute Cloud) instance on AWS (Amazon Web Services), and the desired solution would now be to move the application to a dynamically auto-scaled EC2 environment so that it can handle the increasing traffic without resource problems and site downtime.

In order to achieve this, it will also be necessary to set up the database on AWS, and the most realistic solution for this is to use Amazon’s RDS (Relational Database Service). I’ve recently covered this process in my article Migrating a MySQL database to AWS (with specific focus on RDS). You’ll also need to set up a load balancer, most likely an ELB (Elastic Load Balancer), to balance the incoming traffic across the auto-scaled EC2 application instances. I’ve recently covered this topic also, in my article Choosing and setting up a load balancer in AWS. So have a read through both of those articles to begin with, and below I’ll cover the rest of the process, i.e. auto-scaling the application instances on EC2.

Continue reading “How to migrate an application to AWS with auto-scaled EC2 instances”

How to use Ansible for security hardening on RHEL 7 and CentOS 7 servers

My article Security hardening on CentOS 7, Red Hat Enterprise Linux 7 & Amazon Linux was seen by Red Hat guru Karoly Vegh, who helpfully suggested it would be a good idea to automate the process with Ansible.

So here in a repository on my GitHub are some Ansible playbooks and related support files that I’ve created, which can be used for hardening servers running RHEL 7, CentOS 7 and related Linux distributions such as Amazon Linux 2. With some tweaking these playbooks could be easily modified for use with Ubuntu, Debian and other types of distro.

To use these playbooks, check out the repo and you can run the playbooks in the Ansible_RHEL_CentOS_hardening folder with ansible-playbook in the usual way. They assume the target servers are defined in your Ansible inventory as centosservers, but of course you can modify that if needed.

Continue reading “How to use Ansible for security hardening on RHEL 7 and CentOS 7 servers”

How to migrate a MySQL database to AWS (with specific focus on RDS)

If you’ve been running a web application on just one or two servers which contain your web server, application framework and database, there will likely come a time when you need to scale to cope with higher load from more incoming traffic. Whilst the web/application side of things can usually be scaled horizontally across multiple servers without too much trouble, a MySQL database is not so straightforward.

You may be using one or two EC2 instances, or your infrastructure may be hosted somewhere other than AWS. We’ll assume here that you’re migrating the whole app to AWS (if it’s not there already) and that you need to put the database somewhere within AWS as part of the scaling-up process. There are basically two options: install MySQL on one or more EC2 instances and administer it yourself; or use Amazon’s RDS (Relational Database Service) as a simpler way of hosting and managing your database.

Continue reading “How to migrate a MySQL database to AWS (with specific focus on RDS)”

How to choose and set up a load balancer in AWS

When you want to run your web application on more than one EC2 instance for scaling and redundancy purposes, you will probably require some form of load balancer to distribute incoming requests evenly across the instances. There are various possible solutions for this.

One option is to launch another EC2 instance and install a load balancer on it yourself. There are quite a few open source load balancing options, though I would tend to recommend HAProxy as it’s fast, efficient, secure, and very flexible. This option involves setting up your Linux instance and installing the software you need yourself, then configuring your chosen load balancer and installing your SSL certificates, etc. Additionally you would need to estimate the necessary instance size to run the load balancing software without getting overloaded and slowing the site down (bearing in mind that SSL termination can be particularly CPU-intensive), then monitoring it accordingly.

Unless there’s a particular reason to take the approach of installing a load balancer on an EC2 instance, a simpler and more effective option – especially for companies taking their first steps into scaling multiple instances for their application – is likely to be Amazon’s own ELB (Elastic Load Balancer). This doesn’t require an EC2 instance with Linux setup, software installation and configuration, etc. It provides a simple interface with easy SSL termination and it will scale itself automatically as needed, so there is little required in the way of planning and monitoring.

Continue reading “How to choose and set up a load balancer in AWS”

How to create a Slack notification from a CloudWatch alarm for an SQS queue, via SNS and Lambda

This article describes the process of creating a Slack notification from a CloudWatch alarm generated from an undesirable state in an SQS (Simple Queue Service) queue, via SNS (Simple Notification Service) and Lambda.

You can of course modify any of these to suit your differing requirements. For example, the source could be a different SQS state, or the source could be some other AWS service rather than SQS, or you may want to send the notification to somewhere other than Slack (in which case a different Lambda function may be required), etc.

Continue reading “How to create a Slack notification from a CloudWatch alarm for an SQS queue, via SNS and Lambda”

Building a Postfix-based mail system for incoming and outgoing email, capable of successfully sending one million emails per day

It was necessary to build an updated mail system for a client which would handle all incoming and outgoing email, and which could handle successfully sending out an average of one million emails per day. This was based on Postfix, since Postfix is known for reliability, robustness, security, and relative ease of administration. Building a Postfix mail system capable of handling so many emails is quite a significant aim at a time when establishing a positive reputation for independent mail servers delivering high volumes of email is quite a challenging goal.

Continue reading “Building a Postfix-based mail system for incoming and outgoing email, capable of successfully sending one million emails per day”

How to harden CentOS 7, Red Hat Enterprise Linux 7 & Amazon Linux for better security

A few years ago I wrote a quite popular post for security hardening on Ubuntu 14.04, and now here’s a new version for CentOS 7 and RHEL 7. Much of it should apply to CentOS/RHEL versions 6 and 8, with some tweaks required here and there. It should also largely work with Amazon Linux and Amazon Linux 2, although again some tweaks will be required for those.

Continue reading “How to harden CentOS 7, Red Hat Enterprise Linux 7 & Amazon Linux for better security”

69 useful Terminal/CLI commands

For a long time I’ve maintained a memory aid in the form of a list of useful commands which can be used on the command line for Linux, macOS (OS X), BSD, Solaris, etc., so I thought I’d list them in a sticky blog post in case they come in useful for others. Most of these will run on any Unix-type operating system, though I’ve usually indicated where a command is OS-specific. These can be run manually for admin purposes and also scripted for automation purposes.

Continue reading “69 useful Terminal/CLI commands”

Script to detect MAC addresses of new devices connecting to local network

I wanted to get notified of any new machines connecting to my local network so that I could be reasonably sure there would be no unauthorised devices connecting wirelessly to use my network for unknown and potentially malicious purposes. I therefore wrote a simple script to detect new MAC addresses appearing on the network and notify me accordingly. The script requires nmap to be installed and should ideally be run from cron with the output going to a valid email account. The script can be obtained from my GitHub.