WordPress on Azure VM and Azure Database for MySQL with Confidential Computing — Series 1/2
This document presents a three-step approach for creating an Azure Confidential Computing VM to run WordPress, focusing on different aspects in each step.
Series 1: Create a WordPress instance on an Azure VM without considering Confidential Computing functionality.
Series 2: Create an Azure VM with Confidential Computing capabilities to enhance security and privacy. And deploy and run WordPress on a Confidential Computing-enabled Azure VM to leverage the benefits of Confidential Computing.
For individuals who are not familiar with the concept of Confidential Computing, the following explanation provides an overview of its principles and significance.
Comfidential Computing: A New Paradigm for Data Protection
Comfidential computing is a novel approach to secure data processing that enables applications to run on encrypted data without exposing it to anyone, not even the cloud provider or the hardware manufacturer. Comfidential computing leverages hardware-based encryption and attestation mechanisms to create a trusted execution environment (TEE) where sensitive data and code can be isolated and protected from unauthorized access or modification. Comfidential computing offers several benefits for enterprises and users.
Series1: Create WordPress in Azure VM without taking Confidential Computing functionality into consideration
Step1:
You firstly need to setup your Azure VM in Azure portal.
We shall be creating VM as following:
- Resource Group (Create new, name can be chosen)
- Region (East US)
- Admin Username (AD administrator name)
- Admin Password (Administrator password, reccomend 12 characters, requires letters, numbers, and symbols)
- OS Linux -ubuntu 20.04
- VM architecture - x64
- Size - Standard D2s v3
・vCPUs 2
・RAM 8 GiB
After proceeding to the “Review + Create” page, it is necessary to save the key file (.pem) on your local machine. Once you have completed the creation of your VM, the next step is to establish an SSH connection to your VM machine.
Note that you need to open SSH port inbound in the NSG resource.
“For now all IP address connection are allowed”
To configure the SSH connection, follow the steps outlined below:
- If you have not downloaded VSCode yet, please visit the following page to download and install it. Visual Studio Code — Code Editing. Redefined
- Open VSCode and proceed with the SSH setting configuration using the steps provided below.
Open your SSH connection:
- Launch VSCode and navigate to Extensions in the sidebar (Ctrl + Shift + X).
- Use the search bar to find the “Remote Explorer” extension and install it.
- Once installed, you will notice the Remote Explorer icon in the sidebar of VSCode. Click on it to open the extension.
- Configure SSH settings: Within the Remote Explorer, locate the settings icon labeled “Open SSH Config File”. Your SSH configuration file can typically be found at “C:\Users\<username>\.ssh\config”. Open this file and add the relevant information for your newly created Azure VM.
HOST <random name like NONCONFVM>
HostName <your VM IPaddress>
User <the username of your VM>
IdentityFile ~/.ssh/<downloaded .pem file>After saving the configuration file, it is necessary to restart the editor for the changes to take effect.
If the configuration file is successfully saved with the correct settings, you can establish an SSH connection to your Azure VM. The connection settings can be configured on the right side of the HOST name.
Step2:
Create your Dockerfile in the directory of your choice.
There are two methods to install WordPress on your machine, but the second method is recommended as it allows for the inclusion of confidential computing functionality in future. Please note that Confidential Computing may not be compatible with MySQL.
For your information — Method 1(MySQL Cantainer)
There are requirements to handle NSG to access your WordPress container runnning, but I will explain in method 2 which is focucing point in this paper.
To download Docker on your machine, execute the following commands:
$sudo apt update
$sudo apt install docker.io
$curl -fsSL https://get.docker.com -o get-docker.sh
$sudo sh get-docker.sh
$sudo docker versionNext step is to install docker compose with the following commands:
$sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$docker-compose- versionDeploy official WordPress container and MySQL container with the following .yaml file. I named this file as docker-compose.yaml.
version: '3'
services:
db:
image: mysql:latest
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: <MySQL ROOT PASSWORD>
MYSQL_DATABASE: <DB NAME>
MYSQL_USER: <MySQL USERNAME>
MYSQL_PASSWORD: <MySQL PASSWORD>
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: <DB USERNAME>
WORDPRESS_DB_PASSWORD: <DB PASSWORD>
volumes:
db_data:Save the .yaml file on your VM. If you cannot save that due to “Permission denied” message, run the code below:
$sudo chown -R <azure user name> docker-compose.yamlFinally you can build container with the following command:
$docker-compose buildOpen http://<VM Public IP>:8000/wp-admin to confirm whather your containers are runnning.
Method 2 (PaaS MySQL)
Firstly, you need to install docker in your VM as I instructed in the head of Method1 section. Please get it done before getting into the next phase.
To ensure a secure MySQL resource within your VNet, you will need to create a subnet and NSG specifically for MySQL. Assuming you have already set up the VNet and subnet for your VM with the following details:
- VNet address space: 10.0.0.0/16
- Subnet for VM: 10.0.0.0/24
To create the subnet for MySQL, follow these steps:
- Create a new subnet for MySQL with the following details:
- Subnet for MySQL: 10.0.1.0/24
Next, we will proceed to create NSGs for both the VM and MySQL subnets in order to establish secure connections. Azure Network Security Groups (NSGs) provide security configurations at the subnet or network interface level. In our case, we will set up NSGs for each subnet to enhance security. Please refer to the Microsoft Learn documentation on how to create, modify, or delete Azure network security groups for detailed instructions.(Create, change, or delete an Azure network security group | Microsoft Learn) so we will put NSGs for each subnets.
Once you have set up the required subnets, the next step is to create an Azure Database for MySQL with the following configuration:
- Select the Flexible server option.
- Choose the east us region.
- Select the workload type suitable for development or hobby projects.
- Configure networking with private access using VNet Integration.
- Choose the same virtual network (VNet) where your VM is running.
- Select the previously created subnet.
After successfully deploying the Azure Database for MySQL, you can proceed to the next step, which is creating the .dockerfile in your VM.
# Use the official WordPress image
FROM wordpress:latest
# Install additional dependencies
# RUN apt-get update && apt-get install -y mariadb-client
RUN apt-get update && \
apt-get install -y mariadb-client
# Set the environment variables for Azure MySQL connection
ENV WORDPRESS_DB_HOST <DB host name>.mysql.database.azure.com
ENV WORDPRESS_DB_USER <DB user name>
ENV WORDPRESS_DB_PASSWORD <DB password>
ENV WORDPRESS_DB_NAME <DB name>
# Set the working directory
WORKDIR /var/www/html
# Copy the contents of the local WordPress directory into the container
COPY . .
# Expose the port
EXPOSE 80
# Start the Apache server
CMD ["apache2-foreground"]Typically, when deploying MySQL within the same network, establishing an SSL connection may not be deemed necessary. However, if you intend to access MySQL over the internet, it becomes imperative to establish a secure SSL connection.
To disable the “require_secure_transport” parameter and allow non-SSL connections, follow these steps:
- Open the Azure MySQL page in the Azure portal.
- Navigate to the Server parameters section.
- Locate the “require_secure_transport” parameter.
- Set the parameter value to “OFF” to disable SSL enforcement.
By making this adjustment, non-SSL connections will be permitted to the Azure MySQL server.
once you saved dockerfile, then build it with the following command.
$sudo docker build -t my-wordpress-image -f <your docker file name>.dockerfile .
$sudo docker run -p 8000:80 my-wordpress-imageThe mapping of “8000:80” signifies the linking of the host port (8000) to the container port (80). Once the container is successfully running, you can access the WordPress application by navigating to “http://<Public IP>:8000/wp-admin” in a web browser. This URL will allow you to verify that WordPress is functioning correctly.
To enable an SSL connection with “require_secure_transport=ON” for the Azure MySQL server, the following modifications need to be made to the .dockerfile:
- Download the
.pemfile, which is typically provided for establishing the SSL connection. - Update the
.dockerfileto include the necessary modifications for SSL connectivity. However, please note that additional modifications may be required for the SSL connection to function properly. These modifications will be included in a later blog. - In the
wp-config.phpfile, you will need to add SSL configuration settings to ensure the proper SSL connection is established.
By following these steps, you might enable an SSL connection with “require_secure_transport=ON” for your Azure MySQL server. Please be aware that additional modifications may be necessary to ensure a successful and secure SSL connection upon this dockerfile.
# Use the official WordPress image
FROM wordpress:latest
# Install additional dependencies
RUN apt-get update && apt-get install -y mariadb-client
# Install Azure CLI
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
# Set the environment variables for Azure Storage Account
ENV AZURE_STORAGE_ACCOUNT_NAME=<azure storage account name>
ENV AZURE_STORAGE_ACCOUNT_KEY=<account key>
ENV AZURE_STORAGE_CONTAINER_NAME=<container name>
ENV AZURE_STORAGE_BLOB_NAME=<BLOB name: file name>
# Set the working directory
WORKDIR /var/www/html
# Download the .pem file from Azure Blob Storage
RUN az storage blob download -c $AZURE_STORAGE_CONTAINER_NAME -n $AZURE_STORAGE_BLOB_NAME -f /etc/ssl/DigiCertGlobalRootCA.crt.pem --account-name $AZURE_STORAGE_ACCOUNT_NAME --account-key $AZURE_STORAGE_ACCOUNT_KEY
# Set the environment variables for Azure MySQL connection
ENV WORDPRESS_DB_HOST <DB host name>.mysql.database.azure.com
ENV WORDPRESS_DB_USER <DB user name>
ENV WORDPRESS_DB_PASSWORD <DB password>
ENV WORDPRESS_DB_NAME <DB name>
# Set the environment variables for MySQL SSL configuration
ENV MYSQL_SSL_CA=/etc/ssl/DigiCertGlobalRootCA.crt.pem
# Copy the contents of the local WordPress directory into the container
COPY . .
# Modify the wp-config.php file to include SSL configuration
RUN echo "/** Connect with SSL **/\n" \
"define('DB_SSL', true );\n" \
"/** SSL CERT **/\n" \
"define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT);\n" \
"define('MYSQL_SSL_CA',/etc/ssl/DigiCertGlobalRootCA.crt.pem);\n" >> wp-config.php
# Expose the port
EXPOSE 80
# Start the Apache server
CMD ["apache2-foreground"]In series 2 of the documentation, we delve into the topic of Confidential Computing in the Azure environment. This section provides detailed information on how to leverage the security benefits of Confidential Computing within Azure.
Thank you for taking the time to read this documentation. If you have any questions or require further clarification, I am here to assist you. Your feedback and suggestions are highly appreciated, and I am particularly interested in any advice or insights you may have regarding SSL modifications and related knowledge.
