WordPress on Azure Kubernetes Service

Azure Managed Redis

Azure Front Door

Azure Kubernetes Service (AKS)

Azure Load Balancer

Azure NetApp Files

This article describes a container solution that hosts a large, storage-intensive installation of WordPress on Azure. The solution maximizes scalability and security. Key components include Azure Front Door, Azure Kubernetes Service (AKS), and Azure NetApp Files.

Architecture

Download a Visio file of this architecture.

Note

You can extend this solution by implementing tips and recommendations that apply to any WordPress hosting method. For general tips about how to deploy a WordPress installation, see WordPress on Azure.

Dataflow

The following dataflow corresponds to the previous diagram:

Users access the front-end website through Azure Front Door with Azure Web Application Firewall enabled.
Azure Front Door uses an internal instance of Azure Load Balancer as the origin. The internal load balancer is a hidden component of AKS. Azure Front Door retrieves any data that isn't cached.
The internal load balancer distributes ingress traffic to pods within AKS.
Azure Key Vault stores secrets, including the private key, which is an X.509 certificate.
The WordPress application uses a private endpoint to access a Flexible Server instance of Azure Database for MySQL. The WordPress application retrieves dynamic information from this managed database service.
All static content is hosted in Azure NetApp Files. The solution uses the Astra Trident Container Storage Interface (CSI) driver with the Network File System (NFS) protocol.

Components

AKS is a managed Kubernetes service that you can use to deploy, manage, and scale containerized applications. In this architecture, AKS hosts the WordPress containers and provides the orchestration platform that runs the containerized WordPress application to ensure high availability and scalability.
Azure Cache for Redis is a managed in-memory data store and caching service. In this architecture, Azure Cache for Redis hosts a key-value cache that all pods share. WordPress performance optimization plug-ins use the cache to improve response times.
Azure Database for MySQL - Flexible Server is a managed relational database service based on the open-source MySQL database engine. In this architecture, this database stores WordPress data.
Azure DDoS Protection is a network security service that provides enhanced distributed denial-of-service (DDoS) mitigation features. In this architecture, DDoS Protection helps defend against DDoS attacks when combined with application-design best practices and enabled on the perimeter network.
Azure Front Door is a modern cloud content delivery network and global load balancer. In this architecture, Azure Front Door is the public entry point into the WordPress deployment.
Azure NetApp Files is a managed, performance-intensive, and latency-sensitive storage solution. In this architecture, Azure NetApp Files hosts the WordPress content so that all pods have access to the shared data through high-performance file storage.
Azure Virtual Network is a networking service that enables deployed resources to communicate with each other, the internet, and on-premises networks. In this architecture, virtual networks provide isolation and segmentation.
Key Vault is a cloud service that stores and controls access to secrets, certificates, keys, and passwords. In this architecture, Key Vault provides secrets to the AKS cluster if pods need them.
Load Balancer is a layer-4 load balancer that distributes inbound traffic based on rules and health probe results. In this architecture, the load balancer distributes traffic from Azure Front Door to the ingress controller pods with low latency and high throughput.
Network security groups (NSGs) are security features that use security rules to allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. In this architecture, NSG rules restrict traffic flow between the application components in the subnets.

Alternatives

Instead of using the Azure Cache for Redis managed service, you can use a self-hosted pod within the AKS cluster as the cache.
Instead of using a managed storage solution like Azure NetApp Files, you can use a self-hosted solution like Rook-Ceph storage. For more information, see Use Rook Ceph on AKS.
Instead of using AKS, you can use Azure Container Apps to host containerized WordPress workloads. Container Apps is a managed serverless container service that suits simpler or smaller-scale scenarios. For large, storage-intensive, and highly customizable deployments, use AKS.

Scenario details

This example scenario works best for large, storage-intensive installations of WordPress. This deployment model can scale to meet spikes in traffic to the site.

Potential use cases

High-traffic blogs that use WordPress as their content management system
Business or e-commerce websites that use WordPress

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that you can use to improve the quality of a workload. For more information, see Well-Architected Framework.

Reliability

Reliability helps ensure that your application can meet the commitments that you make to your customers. For more information, see Design review checklist for Reliability.

Consider the following recommendations when you deploy this solution:

Use pods in AKS and a load balancer to distribute ingress traffic. This approach provides high availability even if a pod failure occurs.
Place all networking components behind Azure Front Door. This approach makes the networking resources and application resilient to problems that can otherwise disrupt traffic and affect user access.
Use Azure Front Door to cache all responses to gain a small availability benefit. Specifically, when the origin doesn't respond, you can still access content. But caching doesn't provide a complete availability solution.
Replicate Azure NetApp Files storage between paired regions to increase availability. For more information, see Understand Azure NetApp Files replication.
Follow high availability options that meet your needs to increase Azure Database for MySQL availability.
The solution supports multiple regions, data replication, and autoscaling. The components distribute traffic to the pods. Health probes ensure that only healthy pods receive traffic.
Azure Front Door is a global service that supports virtual machine scale sets deployed in another region.

Security

Security provides assurances against deliberate attacks and the misuse of your valuable data and systems. For more information, see Design review checklist for Security.

Consider the following best practices when you deploy this solution:

Use Web Application Firewall on Azure Front Door to help protect the virtual network traffic that flows into the front-end application tier. For more information, see Web Application Firewall on Azure Front Door.
Don't allow outbound internet traffic to flow from the database tier.
Don't allow public access to private storage, and disable public access to resources. Use private endpoints for Azure Database for MySQL, Azure Cache for Redis, Key Vault, and Azure Container Registry. For more information, see Azure Private Link.

For more information, see General WordPress security and performance tips and Azure security documentation.

Cost Optimization

Cost Optimization focuses on ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Design review checklist for Cost Optimization.

Review the following cost considerations when you deploy this solution:

Traffic expectations (GB/month): Your traffic volume has the greatest effect on your cost. The amount of traffic that you receive determines the number of AKS nodes required and the price for outbound data transfer. The traffic volume also directly correlates with the amount of data that your content delivery network provides, where outbound data transfer costs are cheaper.
Amount of hosted data: Consider the amount of data that you host, because Azure NetApp Files pricing is based on reserved capacity. To optimize costs, reserve the minimum capacity required for your data.
Write percentage: Consider how much new data you write to your website and the cost to store it. For multi-region deployments, the amount of new data that you write to your website correlates with the amount of data mirrored across your regions.
Static versus dynamic content: Monitor your database storage performance and capacity to determine whether a cheaper SKU can support your site. The database stores dynamic content, and the content delivery network caches static content.
AKS cluster optimization: Follow general tips for AKS, such as guidance about virtual machine (VM) size and Azure reservations, to optimize your AKS cluster costs. For more information, see AKS Cost Optimization.

Performance Efficiency

Performance Efficiency refers to your workload's ability to scale to meet user demands efficiently. For more information, see Design review checklist for Performance Efficiency.

This scenario uses pods in AKS to host the front end. The autoscale feature enables the number of pods that run the front-end application tier to automatically scale in response to customer demand. They can also scale based on a defined schedule. For more information, see Scaling options for applications in AKS.

Important

For best performance, mount a persistent volume that uses the NFS protocol version 4.1. The following YAML example shows how to configure a PersistentVolume object for this purpose. Note the value of the mountOptions field.

kind: PersistentVolume
...
    accessModes:
    - ReadWriteMany
    mountOptions:
    - vers=4.1
    nfs:
      server: xx.xx.xx.xx

Contributors

Microsoft maintains this article. The following contributors wrote this article.

Principal author:

Vaclav Jirovsky | Cloud Solution Architect

Other contributor:

Adrian Calinescu | Senior Cloud Solution Architect

To see nonpublic LinkedIn profiles, sign in to LinkedIn.

Next steps

Product documentation:

Microsoft training modules:

Feedback

Was this page helpful?