My Best Practices for Deploying a Web Application in Alibaba Cloud
My Best Practices for Deploying a Web Application in Alibaba Cloud
In this article, a developer shares some best practices he uses when deploying web applications on the cloud, including security and performance.
Join the DZone community and get the full member experience.Join For Free
Through this article, I want to share the best practices I use when deploying some web applications on the cloud. I work as a freelancer and recently one of my clients asked me to setup SuiteCRM for his small organization. Since I frequently write tutorials for Alibaba Cloud, I recommended the client use the same cloud platform. For nearly a 100 users and at least 30 concurrent users, here's the configuration I recommended.
- ECS instance of 2 vCPUs and 4GB RAM to install Nginx with PHP-FPM.
- ApsaraDB for RDS instance for MySQL with 1GB core, 1 GB RAM, and 10 GB storage.
- Direct Mail for sending emails.
The steps I followed are very simple and can be adopted for nearly all PHP-based applications.
If you are new to Alibaba Cloud, you can use this link to sign up. You will get a new user credit worth $300 USD for free which you can use to try out different Alibaba Cloud products.
Creating an ECS Instance
Alibaba Cloud has documented nearly everything you will need to get started with the cloud platform. You can use the use the Getting Started Tutorials or the Tech Share Blog to learn how to start using the Alibaba Cloud. You can find the most obvious steps on the Quick Start Guide and let me walk you through the best practices to use when creating the ECS instance.
Log in to your Alibaba Cloud console and go to the Elastic Compute Service interface. You can easily create the instance by clicking the Create Instance button. Things to keep in mind are:
- Region: Since Alibaba cloud has data centers all around the globe, always choose the region which is geographically closer to the users of the application. As the data center is closer to the user, the website will load very fast due to low latency of the network. In my case, I chose Mumbai region as the organization was based in Mumbai itself.
- Billing Method: If you are planning to continuously run the instance 24/7, you should always choose the monthly subscription as it will cut down the price by less than the half compared to the Pay-as-You-Go type. For example, the monthly subscription cost of shared type ECS instance of 2 vCPUs and 4GB RAM is $23 USD but the same instance in Pay-as-You-Go costs $0.103 USD per hour. Monthly cost becomes $0.103\*24\*30 = $74.16 USD.
- Instance Type: Choose the instance type according to your requirement. Resources can be increased later on demand.
- Image: You may find the application you wish to install on your ECS instance on the Marketplace image but it is always recommended to install it yourself in a clean, official image. Later if your application encounters some error, you will know where to look.
- Storage: System disks are deleted when the ECS instance is released. Use a data disk when possible as your disk will be retained even after the instance is accidentally deleted.
Here's the configuration I used.
You can choose the VPC which is created by default. You can add as much as 4092 instances in it. I use a different security group for each ECS instance so that I can configure individually, it makes sure that no unused port is opened.
Another important thing is to use key-based authentication rather than using the passwords. If you already have a key-pair, you can add the public key to Alibaba Cloud. If not, you can use Alibaba Cloud to create one. Make sure that key is stored in a very secure place and the key itself is encrypted by a passphrase.
That's all the things to keep in mind while creating the ECS instance.
Setting Up ECS Instance
Once you have created your instance and logged into the terminal, there are few things I suggest you should consider before you set up your website.
- Rather than using the root account for executing the commands, set up a sudo user on first connection and always use the sudo user for running the commands. You can also set key based auth for the sudo user too and disable root login entirely.
- Always keep your base image updated. For example, you can use the following commands in an Ubuntu Server.
- Alibaba base images do not have any extra package which is not required. Keep in mind that you also do not install any package which is not required.
- If things go bad during installation, you can always reset the instance by changing the system disk. You don't need to delete the instance and recreate it.
I created the sudo user and configured key based auth in it. I updated the base image and set up unattended system upgrades. I followed a tutorial to install Nginx web-server, which is a lightweight production-grade web server. Furthur, I installed PHP 7.2 with PHP-FPM. PHP 7.2 is the latest available version of PHP as of now. Using the latest software will ensure that the system is free from all the bugs and we will also get a faster processing and more stability. Finally, I downloaded the SuiteCRM archive from its official website and deployed the files into Nginx.
Configuring Security Group Rules
It is very important to leave no unused port open in security group of the ECS instance. Have a look at the security group rules I used for the SuiteCRM instance.
You can see that I have allowed only the ports 22, 80, and 443 along with all ICMP packets. Post 22 is used for SSH connection. Port 80 is an unsecured HTTP port, which in my case just redirects to the port 443 on HTTPS. ICMP packets are used to ping the host to check if it is alive or not. It's perfectly ok if you want to drop the ICMP packets also, you just won't be able to ping your instance.
Creating RDS Instance
The first question that comes to mind before we create the RDS instance is why exactly we need it. We could also install any open source database server such as a MySQL, MariaDB, PostgreSQL or MongoDB server on the ECS instance itself.
The answer to the question is that ApsaraDB for an RDS instance is optimized for speed and security. By default, the instance we create is only accessible to the whitelisted instances.
Let's look at the things to keep in mind when we create the ECS instance.
- Region: Always choose the same region to create the database instance where the ECS instance is created. Also, make sure that they both are in the same VPC. This will enable you to leverage the free intranet data transfer between the hosts in the same network. Another advantage is that you will need to whitelist only the private IP address of the ECS instance. This increases the security of the database to a great extent.
- Billing: Again, the cost of monthly subscription is less than that of a Pay-as-You-Go method. Choose according to your needs.
- Capacity: You can start with a low-end configuration such as 1 Core, 1 GB instance, and 5 GB storage. Later on the requirement, you can increase the resources.
- Accounts: Never create the Master account for MySQL 5.6 instance unless required. You can create a database and a database user for each database.
Here's the RDS configuration I used for SuiteCRM.
Once the MySQL RDS instance was activated, I whitelisted the ECS instance from the Security tab of the instance. As soon as I whitelist the IP address, I got the hostname to the RDS instance along with the port number, which was MySQL default port "3306." I created a database named "suitecrm" and a database user named "suitecrm" and provided read/write access to the user.
When Let's Encrypt certificate authority started giving SSL certificates for free, it became a trend to use SSL on every website. For the purpose of security, it is very important to use SSL on a web application. If the data being exchanged is unencrypted, a person eavesdropping into the network may extract the confidential information.
Alibaba Cloud also provides SSL certificates, but in my point of view, it is quite expensive. However, with expensive things comes extra guarantees. SSL certificates provided by Alibaba Cloud are suitable for enterprise users.
In the SuiteCRM deployment, I also used the Let's Encrypt free SSL service to secure the SuiteCRM web application. For generating the certificates by Certbot which is a client application for Let's Encrypt CA, the domain needs to be pointed towards the server.
Alibaba Cloud provides domain names at very reasonable rates with free whois protection. In my case, my client already had the domain name purchased from elsewhere. I created a subdomain and pointed the domain to the ECS instance. I installed Certbot and could easily generate the certificates. Never forget to set up a cron job to renew the certificates automatically as the certificates expire every three months.
Setting Up Direct Mail
Setting up an email server by yourself should be avoided as to create an enterprise-grade web server requires expertise and time, and the cost to maintain it gets very high. A slight misconfiguration leads the email directly into the spam folder.
Alibaba Cloud Direct Mail service provides a cheaper way to send emails from the application using SMTP. It's free for the first 200 emails every day. In my case, 200 emails per day are enough, and emails exceeding the free quota are also very cheap. I added a new email subdomain into the Direct Mail. Upon adding the domain, I was asked to update the DNS. I did as instructed and it took some time for DNS to get verify, as the propagation takes time. Once done, I added the sender address and I had the SMTP server ready to be used with the application.
Finally, I had everything ready. The SuiteCRM application hosted on ECS. The database server was hosted on ApsaraDB for RDS. I could easily go through the web-based installation to install the software.
Here's the configuration I provided for the database server during web-based installation of SuiteCRM.
Similarly, I filled all the required information and provided the SMTP server details.
Finally, my application was successfully deployed on Alibaba Cloud. Further, I suggested the client use ApsaraDB for Memcache to store the session cache of SuiteCRM and to use WAF to secure the application against incoming threats. However, the client denied the implementation of the suggestions as it would add to their monthly bill. However, the client was very happy to see the performance of the application on the Alibaba Cloud platform.
This article is also published on the Medium Blogging Platform.
Published at DZone with permission of Liptan Biswas , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.