Use Azure Content Delivery Network and other Azure services to deploy a highly scalable and secure installation of WordPress.
This scenario covers a scalable and secure installation of WordPress that uses Ubuntu web servers and MariaDB. There are two distinct data flows in this scenario the first is users access the website:
- Users access the front-end website through a CDN.
- The CDN uses an Azure load balancer as the origin, and pulls any data that isn't cached from there.
- The Azure load balancer distributes requests to the Virtual Machine Scale Sets of web servers.
- The WordPress application pulls any dynamic information out of the Maria DB clusters, all static content is hosted in Azure Files.
- SSL keys are stored Azure Key Vault.
The second workflow is how authors contribute new content:
- Authors connect securely to the public VPN gateway.
- VPN authentication information is stored in Azure Active Directory.
- A connection is then established to the Admin jump boxes.
- From the admin jump box, the author is then able to connect to the Azure load balancer for the authoring cluster.
- The Azure load balancer distributes traffic to the Virtual Machine Scale Sets of web servers that have write access to the Maria DB cluster.
- New static content is uploaded to Azure files and dynamic content is written into the Maria DB cluster.
- These changes are then replicated to the alternate region via rsync or primary/secondary replication.
- Azure Content Delivery Network (CDN) is a distributed network of servers that efficiently delivers web content to users. CDNs minimize latency by storing cached content on edge servers in point-of-presence locations near to end users.
- Virtual networks allow resources such as VMs to securely communicate with each other, the Internet, and on-premises networks. Virtual networks provide isolation and segmentation, filter and route traffic, and allow connection between locations. The two networks are connected via Vnet peering.
- Azure DDoS Protection Standard, combined with application-design best practices, provides enhanced DDoS mitigation features to provide more defense against DDoS attacks. You should enable Azure DDOS Protection Standard on any perimeter virtual network.
- Network security groups contain a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. The virtual networks in this scenario are secured with network security group rules that restrict the flow of traffic between the application components.
- Load balancers distribute inbound traffic according to rules and health probes. A load balancer provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications. A load balancer is used in this scenario to distribute traffic from the content deliver network to the front-end web servers.
- Virtual Machine Scale Sets let you create and manage a group of identical load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Two separate Virtual Machine Scale Sets are used in this scenario - one for the front-end web-servers serving content, and one for the front-end web servers used to author new content.
- Azure Files provides a fully managed file share in the cloud that hosts all of the WordPress content in this scenario, so that all of the VMs have access to the data.
- Azure Key Vault is used to store and tightly control access to passwords, certificates, and keys.
- Azure Active Directory (Azure AD) is a multitenant, cloud-based directory and identity management service. In this scenario, Azure AD provides authentication services for the website and the VPN tunnels.
This example scenario is applicable to companies that need a highly scalable and secure installation of WordPress. This scenario is based on a deployment that was used for a large convention and was successfully able to scale to meet the spike traffic that sessions drove to the site.
Potential use cases
Other relevant use cases include:
- Media events that cause traffic surges.
- Blogs that use WordPress as their content management system.
- Business or e-commerce websites that use WordPress.
- Web sites built using other content management systems.
- SQL Server for Linux can replace the MariaDB data store.
- Azure database for MySQL can replace the MariaDB data store if you prefer a fully managed solution.
These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.
The VM instances in this scenario are deployed across multiple regions, with the data replicated between the two via RSYNC for the WordPress content and primary/secondary replication for the MariaDB clusters.
This scenario uses Virtual Machine Scale Sets for the two front-end web server clusters in each region. With scale sets, the number of VM instances that run the front-end application tier can automatically scale in response to customer demand, or based on a defined schedule. For more information, see Overview of autoscale with Virtual Machine Scale Sets.
The back end is a MariaDB cluster in an availability set. For more information, see the MariaDB cluster tutorial.
For more resiliency and scalability guidance, see the resiliency checklist] in the Azure Architecture Center.
Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.
All the virtual network traffic into the front-end application tier and protected by network security groups. Rules limit the flow of traffic so that only the front-end application tier VM instances can access the back-end database tier. No outbound Internet traffic is allowed from the database tier. To reduce the attack footprint, no direct remote management ports are open. For more information, see Azure network security groups.
For general guidance on designing secure scenarios, see the Azure Security Documentation.
In combination with the use of multiple regions, data replication and Virtual Machine Scale Sets, this scenario uses Azure load balancers. These networking components distribute traffic to the connected VM instances, and include health probes that ensure traffic is only distributed to healthy VMs. All of these networking components are fronted via a CDN. This makes the networking resources and application resilient to issues that would otherwise disrupt traffic and affect end-user access.
For general guidance on designing resilient scenarios, see Designing reliable Azure applications.
Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.
To explore the cost of running this scenario, all of the services are pre-configured in the cost calculator. To see how the pricing would change for your particular use case, change the appropriate variables to match your expected traffic.
We've provided a pre-configured cost profile based on the architecture diagram provided here. To configure the pricing calculator for your use case, there are a couple main things to consider:
- How much traffic are you expecting in terms of GB/month? The amount of traffic will have the biggest effect on your cost, as it will determine the number of VMs that are required to surface the data in the Virtual Machine Scale Set. Additionally, it will directly correlate with the amount of data that is surfaced via the CDN.
- How much new data are you going to be writing to your website? New data written to your website correlates with how much data is mirrored across the regions.
- How much of your content is dynamic? How much is static? The variance around dynamic and static content influences how much data has to be retrieved from the database tier versus how much will be cached in the CDN.
This article is maintained by Microsoft. It was originally written by the following contributors.
- David Stanford | Principal Program Manager
- About Azure Key Vault
- What are Virtual Machine Scale Sets?
- What is a content delivery network on Azure?
- What is Azure Active Directory?
- What is Azure Files?
- What is Azure Load Balancer?
- What is Azure Virtual Network?
- What is VPN Gateway?
Microsoft Learn modules:
- Build a scalable application with Virtual Machine Scale Sets
- Configure Azure Active Directory
- Configure Azure Load Balancer
- Configure Azure files and Azure File Sync
- Create a Content Delivery Network for your Website with Azure CDN and Blob Services
- Implement Azure Key Vault
- Introduction to Azure Virtual Networks