Moving Services to AWS

I started using Google Container Engine from July 2017, services no longer run on AWS.

After the multi-hour outage of the entire Linode Fremont data center on May 30, it’s time to make my services stronger.

The main idea is to establish an architecture with one EC2 instance, multiple RDS instances across multiple availability zones, create snapshots of EBS volumes and store them in S3, all services can be restored in minutes if incidents happen.

Just to record the initial configuration process below:

*All usernames / paths are changed for security reasons.

I. Initial configuration

Launch a new EC2 instance and update packages

sudo su
apt-get update
apt-get upgrade

Set timezone, hostname:

dpkg-reconfigure tzdata
vim /etc/hostname

Then add the new hostname as localhost to /etc/hosts.

II. Configure users and groups

Allow login as root (disable after inital configuration):

cd ~/.ssh
cp authorized_keys authorized_keys_bck
vim authorized_keys
remove text before ssh-rsa

Add user and group for services:

groupadd hsg
useradd -G hsg hs
su hs
mkdir ~/.ssh
vim ~/.ssh/authorized_keys
chmod -R 700 ~/.ssh

Rename default ubuntu user:

usermod ubuntu -l abc
groupmod -n abc ubuntu
usermod -G hsg -a abc
mv /home/ubuntu/ /home/abc
usermod -d /home/abc abc

Skip password for user abc:

rm /etc/sudoers.d/90-cloud-init-users

Add following to /etc/sudoers:

# abc

III. Configure volumes

Attach another EBS volume, use lsblk to verify:


Format the new volume:

mkfs -t ext4 device_name

Backup & edit fstab:

cp /etc/fstab /etc/fstab_bck

Add following line to /etc/fstab:

/dev/xvdf /service_data ext4 defaults,nofail 0 2

Mount devices:

mkdir /service_data
mount -a

IV. Configure servcies

Install packages:

apt-get install php5-fpm
apt-get install php5-gd
apt-get install php5-curl
apt-get install php5-mysql
apt-get install mysql-client
apt-get install zip
apt-get install unzip

# Install newer version of Nginx (SPDY/3.1 support)
add-apt-repository ppa:nginx/stable
apt-get update
apt-get install nginx

Use rsync to sync all configurations from Git repository.

Import SSL certificates, set permissions (400).

Configure Nginx:

rm /etc/nginx/sites-enabled/default
rm /etc/nginx/sites-available/default
ln -s /etc/nginx/sites-available/* /etc/nginx/sites-enabled/

Configure PHP:

# For debugging
touch /var/log/php-errors.log
chmod 777 /var/log/php-errors.log
ln -s /var/log/php-errors.log ~/

V. Deploy databases

Launch a multi-AZ RDS instance, backup original databases and import to RDS:

mysqldump -u root -p --all-databases > all_db.sql
mysql -h rds_endpoint -u root -p
mysql> source all_db.sql

The database connection endpoints should be updated on all services, using subdomains to point to those connection endpoints is recommended, since configurations are no need to be changed after new DB deployment, just update the DNS records.

All services should be up and running now.

The last thing is to deploy a PPTP VPN server.

The process is described here.