We just reached a major milestone in our infrastructure evolution: we permanently decommissioned 8 legacy monoliths and transitioned our primary public presence entirely to our new, clean active-active multi-region WordPress HA architecture. Here is why the new model is cleaner, safer, and better.
+ + +Decommissioning the Legacy Monoliths
+For a long time, our legacy infrastructure was spread across a sprawling web of virtual machines in our old VPC. As we transitioned to our new high-availability model, these old servers were left running. They were costing money, eating up management overhead, and expanding our attack surface.
+ +With our new active-active cluster fully stable and taking production traffic, we permanently deleted 8 legacy virtual machines from our BinaryLane account:
+ +| Server Name | Legacy IP Address | Legacy Role |
|---|---|---|
wp-web-1-syd | 10.241.2.1 | Legacy Nginx / Certbot master |
wp-web-2-syd | 10.241.2.2 | Legacy Web Node |
wp-web-4-bne | 10.241.2.4 | Legacy Web Node |
wp-web-5-mel | 10.241.2.5 | Legacy Web Node |
wp-web-6-mel | 10.241.2.6 | Legacy Web Node |
wp-web-7-bne | 10.241.2.7 | Legacy Web Node |
wp-db-primary | 10.241.1.1 | Legacy MySQL Primary |
wp-db-replica-mel | 10.241.1.3 | Legacy MySQL Replica (Melbourne) |
Removing these legacy machines clean up the old VPC topology and ensures we are no longer paying for redundant, idle compute capacity.
+ +The New Active-Active HA Architecture
+Our primary public site is now running on a modern, 3-tier active-active high-availability cluster spanning multiple regions (Brisbane and Sydney). The traffic flow is fully decoupled:
+ +- +
- Anycast Load Balancing: Incoming traffic hits BinaryLane’s Anycast IP, which automatically routes requests to the nearest healthy proxy node using BGP routing. +
- Stateless Proxy Layer (Envoy): Dedicated Envoy proxy servers (
envoy-bne-testandenvoy-syd-test) handle SSL/TLS termination and route HTTP/1.0 traffic downstream. +
- Decoupled Web Layer (Nginx/PHP-FPM): Web application servers (
web-bne-testandweb-syd-test) handle the PHP execution. Because they are stateless, any failure is transient. +
- Private Database Layer: Database nodes (
db-bne-testanddb-syd-test) reside in a completely private subnet, isolated from direct public routing. +
Why the New Architecture is Cleaner and Better
+Moving away from the legacy monoliths to this 3-tier architecture gives us several major improvements:
+ +1. Complete Layer Decoupling
+In our legacy setup, Nginx, PHP, cert management, and database connections were often tangled together on the same host. The new architecture enforces a strict separation of concerns. Proxies handle traffic routing, web servers handle PHP, and databases handle data. Each tier can scale independently without affecting the others.
+ +2. Resiliency and No Single Point of Failure (SPOF)
+If an entire data centre region goes offline, BGP Anycast automatically routes all incoming traffic to the surviving region. Because web servers and proxies are active-active in both Brisbane and Sydney, the site remains fully operational without requiring any manual failover or DNS changes.
+ +3. Stateless and Reproducible Web Nodes
+Because the web application servers do not store persistent local state or handle direct certificate generation, they are completely disposable. If a web server becomes unhealthy, we can spin up an identical replacement in minutes without having to worry about configuration drift, database migration, or local backups.
+ +4. Advanced Security Isolation with External Firewalls
+We audited and hardened the new cluster using **BinaryLane Advanced Firewall Rules** to block unauthorized traffic before it ever reaches our virtual machines:
+- +
- Envoy Proxies: Only allow public HTTP (80) and HTTPS (443) traffic. SSH (22) is completely blocked from the general public, allowed only from our trusted administrator IPs and the Jumpbox. +
- Web & Database Servers: Completely isolated from direct internet access. They are configured with an external drop-all firewall policy, accepting inbound connections only from the local
10.242.0.0/16cluster VPC. +
Dual-Stack IPv6 Support and Local Hardening
To ensure our platform remains accessible to modern clients, we enabled native IPv6 support across the cluster. Since the external cloud load balancers are IPv4-only, we routed IPv6 traffic directly to our Envoy proxy nodes using dual-stack AAAA records. To protect these nodes, we implemented local nftables firewalls that drop all incoming IPv6 traffic except for HTTP (80), HTTPS (443), and essential ICMPv6. This allows us to serve IPv6 clients safely without exposing management ports (like SSH) to the public internet.
The result is a fast, highly secure, and resilient infrastructure that is easier to maintain and monitor.