AWS WordPress Hosting — Series Overview

Experiment #4 — AWS EC2 + ALB + CloudFront + AWS WAF + Cognito + VPC Origin

1. Objective of the Experiment

This experiment evaluates a production-grade WordPress architecture built entirely on AWS, using:

CloudFront as the global edge and caching layer,
AWS WAF for controlled and predictable security,
Application Load Balancer (ALB) for clean routing and Cognito integration,
Amazon Cognito for identity-based admin access,
VPC Origin / CloudFront→VPC connectivity to ensure private, internal-only traffic,
EC2 as the WordPress origin.

The goal was to achieve the highest security level, with reasonable cost, predictable billing, and maximum compatibility with WordPress — without relying on Cloudflare or external ZTNA providers.

2. Context and Technical Constraints

Architectural Motivation

Previous experiments revealed gaps:

AWS-only setups (EC2 + WAF) were secure but too complex and expensive.
RDS + ElastiCache architectures were overkill and even slower for small sites.
Cloudflare Tunnel offered great security but too many operational drawbacks.

This experiment’s purpose was to build a balanced, modern, long-term architecture:

clear separation of layers,
private connectivity end-to-end,
predictable WAF costs,
clean Cognito integration,
strong security posture without tunnel fragility.

Security Requirements

EC2 and ALB must not be exposed to the public internet.
CloudFront must communicate with ALB via private connectivity (VPC Origin / PrivateLink).
Cognito should enforce authentication before accessing WordPress admin.
WAF should block malicious traffic globally before it reaches AWS.
All TLS handled by ACM with strong cipher policies.

Functional Requirements

Zero administrative friction for WordPress login.
Clean and predictable CloudFront behaviors.
Full support for dynamic WordPress features.
Reliability and ease of debugging.

Cost Requirements

ALB cost should be offset by simpler WAF behavior and fewer rules.
New AWS WAF flat-rate plan (Autumn 2025) should reduce unpredictability.
Total architecture target: $50–$60/month.

Maintenance Requirements

Keep the number of components reasonable and aligned with AWS best practices.
Minimize custom CloudFront functions or hacks.
Let Cognito handle identity-based protection instead of WAF tricks.

Final Architecture - CloudFront + ALB + Cognito (VPC origin)

flowchart TD
  User["User / Browser"] --> CF["CloudFront Edge\nTLS Termination (ACM)"]
  CF --> WAF["AWS WAF\nManaged & Custom Rules"]
  WAF --> VPCO["VPC Origin\nCloudFront → ALB"]
  VPCO --> ALB["Application Load Balancer\n(HTTPS Listener + Cognito Auth)"]
  ALB --> EC2["EC2 Instance\nWordPress + PHP + Nginx/Apache"]
  EC2 --> EBS["EBS Volume\nWordPress Files"]

  Admin["Admin / Ops"] --> SSM["SSM Session Manager"]
  SSM --> EC2

  %% Styles
  classDef edge fill:#eef2ff,stroke:#4338ca,stroke-width:1px,color:#111;
  classDef waf fill:#fef9c3,stroke:#d97706,stroke-width:1px,color:#111;
  classDef origin fill:#ecfeff,stroke:#0891b2,stroke-width:1px,color:#111;
  classDef mgmt fill:#fee2e2,stroke:#b91c1c,stroke-width:1px,color:#111;

  class CF,VPCO edge;
  class WAF waf;
  class ALB,EC2,EBS origin;
  class Admin,SSM mgmt;

Figure A — Architecture - CloudFront + ALB + Cognito (VPC origin).

3. Architecture Tested

3.1. AWS Components

CloudFront (edge CDN + TLS termination)
- Uses Origin Access Control (OAC).
- Connects privately to ALB through CloudFront VPC Origin / PrivateLink.
- No public exposure.
AWS WAF
- Applied at CloudFront for global filtering.
- Much simpler rule set thanks to ALB + Cognito.
Application Load Balancer (ALB)
- Private subnets only.
- Not publicly reachable.
- Performs routing and Cognito authentication.
Cognito
- Protects /wp-admin and /wp-login.php.
- MFA, OAuth, or user pools supported.
VPC Endpoints
- VPC Endpoint for CloudFront Origin (PrivateLink).
- Optional S3 and SSM endpoints for full private operation.
EC2 (WordPress)
- Private instance behind ALB only.
- EBS stores WP files for easy instance replacement.

3.2. Infrastructure Security (AWS Architecture)

Security is significantly tightened through:

Private-only ALB: no public ingress at all.
CloudFront→ALB via VPC Origin / PrivateLink:
- traffic never touches the public internet,
- CloudFront communicates with ALB over an internal AWS backbone path.
OAC (Origin Access Control) ensures CloudFront is the only allowed caller.
AWS WAF at CloudFront filters threats before they even reach AWS networking layers.
Cognito at ALB adds identity-based admin protection.
SSM Session Manager for EC2 — no SSH exposed.
Strong Security Groups:
- CloudFront endpoint → ALB
- ALB → EC2
- No lateral exposure.

This is one of the strongest WordPress security postures possible on AWS.

3.3. Application Security (WordPress Layer)

Cognito and WAF drastically simplify application-layer security:

1. Cognito authentication at ALB

Protects /wp-admin and /wp-login.php.
Brute-force attacks disappear entirely.
Works seamlessly with WordPress when done at ALB (not CloudFront).
Cleaner than Cloudflare Access or Lambda@Edge-based auth.

2. Minimal WAF rules

Since admin is protected by Cognito, WAF only needs to cover:

common exploits,
bot attacks,
rate limiting.

WAF cost is reduced and predictable.

3. Private-origin WordPress

Because ALB and EC2 are never public:

no origin IP leaks,
no direct scans,
no bypass attacks.

3.4. High-Level Traffic Flow

Visitor connects to CloudFront over HTTPS.
WAF applies global inspection.
CloudFront uses Origin Access Control + VPC Origin to call the private ALB.
ALB decides:
- Protected path → Cognito authentication,
- Public path → forward directly.
ALB forwards traffic to the private EC2 instance.
WordPress generates the response; CloudFront caches static assets.

3.5. Technical Observations

1. ALB dramatically simplifies CloudFront behavior

No more complicated regex rules.
Routing is clean and explicit.
WAF needs fewer exceptions.

2. Cognito integration is far easier at the ALB layer

No CloudFront functions required.
No header rewriting.
No complex Lambda@Edge logic.

3. VPC Origin adds important security

The connection between CloudFront and ALB is private, internal-only.
Public internet is bypassed entirely.
Reduces attack exposure to near-zero.

4. WAF costs become predictable

The AWS WAF flat-rate plan (late 2025) is a huge improvement:

fixed monthly cost,
simplified billing,
perfect for small-to-medium sites.

5. ALB is not a load balancer here

Even though it’s named “load balancer”:

we mainly use its routing and authentication features,
not load distribution.

6. More components means more complexity

Compared to Cloudflare, you manage:

CloudFront,
WAF,
ALB,
Cognito,
VPC Edges,
EC2.

But the resulting architecture is more robust, more predictable, and entirely under your control.

4. Results and Analysis

4.1. Pros

Most secure architecture tested — by a wide margin.
VPC Origin ensures CloudFront–ALB is entirely private.
Cognito at ALB provides clean, modern admin protection.
ALB drastically simplifies WAF rules and caching behaviors.
WAF cost predictable thanks to flat-rate plan.
Perfect compatibility with WordPress (no bot/CAPTCHA issues like Cloudflare).
No external dependencies; all services AWS-native.
Highly stable — no fragile tunnel like Cloudflare.

4.2. Cons

Higher complexity: requires deep AWS knowledge.
ALB costs ~$25/month, unavoidable.
Initial setup time is longer than Cloudflare.
More moving parts than a cloudflare-based setup.

4.3. Estimated Costs (2025)

Approximate:

EC2: $8–12
EBS: $1–3
CloudFront: $1–10
ALB: ~$25
WAF (flat-rate plan): ~$10–15
VPC Endpoints + logs: $3–5

Total: ~$50–$60/month

This is within the expected range for a secure, maintainable, professional-grade WordPress hosting environment.

5. Conclusion

This architecture — EC2 + ALB + CloudFront + WAF + Cognito + VPC Origin — offers the best combination of:

security,
performance,
predictable cost,
operational stability,
AWS-native maintainability,
WordPress compatibility,
absence of external dependencies.

Although it is not the simplest setup, it is by far the one with the strongest security posture and the cleanest long-term operational model.

For small but serious WordPress installations, it is the best architecture tested in the entire series.

Experiment #4 — AWS EC2 + ALB + CloudFront + AWS WAF + Cognito + VPC Origin#

1. Objective of the Experiment#

2. Context and Technical Constraints#

Architectural Motivation#

Security Requirements#

Functional Requirements#

Cost Requirements#

Maintenance Requirements#

Final Architecture - CloudFront + ALB + Cognito (VPC origin)#

3. Architecture Tested#

3.1. AWS Components#

3.2. Infrastructure Security (AWS Architecture)#

3.3. Application Security (WordPress Layer)#

1. Cognito authentication at ALB#

2. Minimal WAF rules#

3. Private-origin WordPress#

3.4. High-Level Traffic Flow#

3.5. Technical Observations#

1. ALB dramatically simplifies CloudFront behavior#

2. Cognito integration is far easier at the ALB layer#

3. VPC Origin adds important security#

4. WAF costs become predictable#

5. ALB is not a load balancer here#

6. More components means more complexity#

4. Results and Analysis#

4.1. Pros#

4.2. Cons#

4.3. Estimated Costs (2025)#

5. Conclusion#

Related Posts