Deploying CraftCMS to AWS Fargate
How to securely deploy a CraftCMS site to AWS in a scalable setup.
Example Cloudformation template — to be added soon
Example Dockerfile and config — to be added soon
RDS - PostgreSQL
Set up your RDS server for PostgreSQL, it is recommended to create the database in a VPC without public access. If you need direct access to the database at any point you will need to set up a Bastion server to connect.
You can set up the database with multiple instances using read/write splitting to split the load. This should not be needed even on very high traffic sites as long as your caching is set up well.
REDIS
Set up a small REDIS cache. REDIS is an in memory storage for faster response times and can be shared across resources. This is to be used to:
ECR
The Elastic Container Registry in AWS is a great place to store your container images. Set up a retention policy on these to only keep as many versions as you need (I recommend 5–10).
ECS Fargate
The Elastic Container Service allows you to run Craft on containers for easy scaling. Fargate allows for you to run containers directly without the need to provision your own EC2 instances to run them on.
There are multiple ways you can set up your containers, splitting different services to different containers or simply having all the services NGINX, PHP etc. within a single image.
EFS — Persistent Storage
The Elastic File Service allows for a persistent storage shared across all the containers. It is recommended to share the storage folder across the containers. This can be mapped using the CRAFT_STORAGE_PATH environment variable, for example:
CRAFT_STORAGE_PATH = /var/www/html/efs-mount-pointThen add the alias in the general.php aliases, for example:
‘aliases’ => [ ‘@siteUrl’ => getenv(‘DEFAULT_SITE_URL’), ‘@baseUrl’ => ‘content/uploads’, ‘@basePath’ => __DIR__ . ‘/..’, ‘@storage’ => getenv(‘CRAFT_STORAGE_PATH’),],
ALB — Application Load Balancer
Set up an application load balancer in front of your containers. This will manage the load across the containers and monitor the health of your containers.
Set health check to the official Craft health check endpoint:
/actions/app/health-checkS3 Bucket
All Assets should be stored in an S3 bucket, so these are available to all the containers running. Craft has a plugin to set this up with S3 which can be installed using:
composer require craftcms/aws-s3 && ./craft plugin/install aws-s3Or you can access it in the Craft Plugin Store
Cloudfront
Basic behaviours to set up in Cloudfront, adjust as necessary. But the aim is to have >95% of the traffic serviced by Cloudfront and only the minority hitting the containers.
Default (*)
You want to cache as much as possible under the default behaviour.
Origin: ALB
Headers: Host
Cookies: None
QueryStrings: None
/admin* (or whatever your console access path is)
You do not want to cache anything through this access.
Origin: ALB
Headers: All
Cookies: All
QueryString: All
/content*
The aim is to cache everything here.
Origin: S3
Headers: None
Cookies: None
QueryStrings: None
VPC
Set up your resources within the VPC in AWS to add a layer of security and stop external access to the resources.
WAF
Always good practice to protect your websites with a good Web Application Firewall.
For the Craft Admin console, I recommend IP whitelisting access to this using the WAF for added security.
Additional Security Improvements
- Add 443 to the container for https support, need to generate certificates for the container.
- Obfuscate the admin page URL to make it hard to guess
- Enforce strong password policies for the Craft console
Based on best practices from CraftCMS and experience
