I run a web service by personal development. I managed to do it with a rental server for 500 yen per month for a long time, but I thought about migrating the server for the following reasons.
・ Middleware cannot be installed freely ・ Cannot scale up ・ Access log cannot be viewed in real time ・ The rental server decides the abolition schedule of TLS1.0 / 1.1 ・ I want to set DKIM to increase the mail arrival rate
I also touched AWS, but I was familiar with BigQuery in my business, so I decided to use Google Cloud Platform.
I usually develop web applications, so I'll just touch the infrastructure lightly, but I'll try to build it after studying.
1 load balancer (Cloud Load Balancing) 1 production Web / DB server (Compute Engine, CentOS) 1 Web server for maintenance (Compute Engine, CentOS) Place an instance of the production Web / DB server and the maintenance Web server behind the load balancer.
I will write the reason for using a load balancer even on a site that is not very large.
When migrating from a rental server, all you have to do is change the A record to the IP of the load balancer.
If you publish the server, you will receive illegal requests via direct IP. Such access, such as accessing the .git directory or scanning for vulnerability files, prevents requests from coming to your production web server.
DB can be scaled up by making it independent using Cloud SQL etc. and configuring multiple production Web servers.
The load balancer will be SSL terminated, and the web server behind the load balancer will have HTTP access. I think it's less expensive than decrypting SSL on a web server. You can also concentrate the certificates on the load balancer when you have multiple web servers.
For example, when you want to stop the instance of the production Web server and improve the performance, you can easily perform maintenance by directing the distribution of the load balancer to the maintenance server.
I can't send emails directly from an instance of Compute Engine, so I decided to use an external service that can be used with the Web API.
The SSL certificate uses Let's Encrypt. Paste the one created by the certbot certonly command on the web server into the load balancer setting screen. It's a little annoying because I have to do it once every three months.
Take snapshots of your instances on a regular basis. Snapshots can be taken while the instance is running. In case of emergency, you can create a new instance from the snapshot.
Compute Engine CentOS instances have yum-cron automatic package updates enabled by default. Therefore, the security patches of the installed packages will be automatically upgraded.
For example, if you look at the update history of the php package, you can see that it was automatically updated to "5.4.16-46.1.el7_7.x86_64" most recently.
$ sudo yum history package-list php Loaded plugins: fastestmirror ID | Action(s) | Package ------------------------------------------------------------------------------- 142 | Updated | php-5.4.16-46.el7.x86_64 142 | Update | 5.4.16-46.1.el7_7.x86_64 57 | Updated | php-5.4.16-45.el7.x86_64 57 | Update | 5.4.16-46.el7.x86_64 10 | Install | php-5.4.16-45.el7.x86_64 history package-list
Unlike the rental server that protects everything, the cost has increased, but the degree of freedom in development has increased and the service level that can be provided has also increased dramatically.
I would like to gradually find the optimal operation method while touching various things.