Secure Hybrid Deployment: WordPress on Cloud and MariaDB On-Prem
This article explains how to create a private virtual topology using n2x.io. This topology enables secure communication between a public Kubernetes cluster and an Ubuntu server located in a private data center without exposing the server to the public internet.
Our approach will involve two key steps:
-
Installing MariaDB (an open-source fork of MySQL) on the Ubuntu server within the private data center.
-
Deploying a WordPress application on the EKS cluster, configured to use the remotely located MariaDB server as its database engine.
Here is the high-level overview of our setup architecture:
In our setup, we will be using the following components:
-
WordPress is a free and open-source content management platform based on PHP and MySQL. For more info please visit the WordPress Documentation
-
MariaDB is one of the most popular open-source relational databases. For more info please visit MariaDB Documentation.
-
n2x-node is an open-source agent that runs on the machines you want to connect to your n2x.io network topology. For more info please visit n2x.io Documentation.
Before you begin
To follow along in this tutorial, you should meet the following requirements:
-
Access to at least a Kubernetes cluster, version
v1.27.xor greater. -
A n2x.io account created and one subnet with
10.254.1.0/24prefix. -
Installed n2xctl command-line tool, version
v0.0.3or greater. -
Installed kubectl command-line tool, version
v1.27.xor greater.
Note
Please note that this tutorial uses a Linux OS with an Ubuntu 24.04 (Noble Numbat) with amd64 architecture.
Step-by-step Guide
Step 1: Install MariaDB in server01
To store our WordPress configuration files, we'll install MariaDB, an open-source database engine. MariaDB is a popular alternative to MySQL, widely used by many hosting companies.
We can install it with the following command:
sudo apt-get update && apt install -y mariadb-server mariadb-client
Let’s now secure our MariaDB database engine and disallow remote root login. We can execute this command and answer the following questions:
mysql_secure_installation
Enter current password for root (enter for none): enter
Switch to unix_socket authentication [Y/n] n
Change the root password? [Y/n] n
Remove anonymous users? [Y/n] y
Disallow root login remotely?[Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
Now it’s time to log in to our MariaDB database as root and create a database and user for our WordPress:
mysql -u root -p
CREATE DATABASE wordpress_db;
CREATE USER 'wp_user'@'%' IDENTIFIED BY '{PASSWORD}';
GRANT ALL ON wordpress_db.* TO 'wp_user'@'%' IDENTIFIED BY '{PASSWORD}';
FLUSH PRIVILEGES;
Exit;
Info
Replace {PASSWORD} with strong password to wordpress user.
To allow MariaDB to accept connections from remote sources, we'll need to modify its configuration file(/etc/mysql/mariadb.conf.d/50-server.cnf). Specifically, you'll need to comment on the following line:
bind-address = 127.0.0.1
And restart the service:
sudo systemctl restart mariadb
Info
For detailed instructions, refer to Configuring MariaDB with my.cnf.
Step 2: Connecting server01 to our n2x.io network topology
Now, we need to connect server01 to our n2x.io network topology to allow the WordPress application can access to the MariaDB database.
Adding a new node in a subnet with n2x.io is very easy. Here's how:
- Head over to the n2x.io WebUI and navigate to the
Network Topologysection in the left panel. - Click the
Add Nodebutton. - Assign a
nameanddescriptionfor the new node. - Click
Add New Connected Node to Subnet.
Here, we can select the environment where we are going to install the n2x-node agent. In this case, we are going to use Linux:
Run the script on server01 terminal and check if the service is running with the command:
systemctl status n2x-node
You can use ip addr show dev n2x0 command on server01 to check the IP assigned to this node:
Note
Remember this IP, we will use it in WordPress database configuration.
Step 3: Install WordPress in EKS Cluster
Once you have successfully set up your EKS cluster, setting your context:
kubectl config use-context <eks_cluster>
To securely store the password for the wp_user database user, we will create a Kubernetes secret named mysql-pass:
kubectl create secret generic mysql-pass --from-literal=password={PASSWORD}
Info
Replace {PASSWORD} with the password you assigned to the wp_user in the previous step.
Now, we are going to create a wordpress-deployment.yaml file with the following configuration:
apiVersion: v1
kind: Service
metadata:
name: wordpress
labels:
app: wordpress
spec:
ports:
- port: 80
selector:
app: wordpress
type: ClusterIP
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wp-pv-claim
labels:
app: wordpress
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress
labels:
app: wordpress
spec:
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
spec:
containers:
- image: wordpress:6.6.2-apache
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: "10.254.1.194"
- name: WORDPRESS_DB_NAME
value: wordpress_db
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-pass
key: password
- name: WORDPRESS_DB_USER
value: wp_user
ports:
- containerPort: 80
name: wordpress
volumeMounts:
- name: wordpress-persistent-storage
mountPath: /var/www/html
volumes:
- name: wordpress-persistent-storage
persistentVolumeClaim:
claimName: wp-pv-claim
This manifest defines a single-instance WordPress deployment. The WordPress container mounts the PersistentVolume /var/www/html to store website data. The WORDPRESS_DB_HOST environment variable must be set to the n2x.io IP address (e.g., 10.254.1.194) assigned to the previously installed MariaDB service. WordPress will connect to the database using wordpress ClusterIP service.
After that, we can apply the changes with this command:
kubectl apply -f wordpress-deployment.yaml
The wordpress pod should be up and running:
kubectl get pod
NAME READY STATUS RESTARTS AGE
wordpress-5f44788b6c-d2cxw 1/1 Running 0 49s
Step 4: Connect the WordPress workload to our n2x.io network topology
To enable the WordPress application to connect to the MariaDB database located in our private data center, we need to connect the wordpress workload to our n2x.io network topology.
To connect a new kubernetes workloads to the n2x.io subnet, you can execute the following command:
n2xctl k8s workload connect
The command will typically prompt you to select the Tenant, Network, and Subnet from your available n2x.io topology options. Then, you can choose the workloads you want to connect by selecting it with the space key and pressing enter. In this case, we will select default: wordpress.
We can check the WordPress deployment workload again:
kubectl get pod
NAME READY STATUS RESTARTS AGE
wordpress-6b88789598-vqdml 2/2 Running 0 68s
Note
You can see that a new container has been added to the workload, this is the n2x-node that acts as a sidecar for the main application.
Step 5: Configure WordPress
All the deployments now are completed. It is time we set up our WordPress. We can port-forward the wordpress service and access the WordPress dashboard directly from http://localhost:8080/:
kubectl port-forward svc/wordpress 8080:80
First, choose one language and then click on Continue:
Fill out the additional details required such as Site title, Username, Password and Email, and click on Install WordPress.
If all goes well, then you will get a Success notification as shown.
Now that we've deployed WordPress, let's verify that the wordpress_db database was created successfully.
$ mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 39
Server version: 10.11.8-MariaDB-0ubuntu0.24.04.1 Ubuntu 24.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use wordpress_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [wordpress_db]> show tables;
+------------------------+
| Tables_in_wordpress_db |
+------------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+------------------------+
12 rows in set (0,001 sec)
MariaDB [wordpress_db]> exit
Bye
Finally, we can Log In and Voila! there goes the WordPress dashboard that you can use to create your first blog or website!
Conclusion
This guide demonstrated how n2x.io empowers you to process data residing in your on-premises database by leveraging public cloud resources. Remarkably, this can be achieved entirely without exposing any endpoints or services to the public internet.
By keeping endpoints private, this approach significantly strengthens security in several ways. It minimizes the potential attack surface, safeguards sensitive information, and effectively reduces the risk of cyberattacks. This aligns perfectly with best cybersecurity practices and fosters a more resilient and secure system architecture.