Moodle on AWS with Google SSO and Cloudflare

For many organizations, budgets are getting tighter, cloud technologies are becoming more accessible to the Sysadmins, and Network Admins and bandwidth is becoming more affordable.

Whether you’re using the cloud, or on-prem, Moodle is an attractive solution for many schools looking for more control, an easy-to-deploy, and maintain for their teachers.

If your internal IT team has the expertise, and you need more than 50 users, a self-hosted and distributed Moodle instance is likely a better option for you than the Moodle Cloud offering, starting at $120+ for 50 users with less than half a gig of storage. In our organizations, teachers tend to utilize a lot more than 500MB of storage.

Moodle Distributed #

The below image is a sample of my architecture to have a self-hosted, micro-distributed design:

I’m giving you the zip for my Diagrams.net (draw.io) diagram:

Distributed Design Download #


Today, without leaning on usage stats and estimating file sizes, you can spin this environment up in a monolithic approach for about $40/month utilizing the AWS Marketplace: Bitnami LMS powered by Moodle(TM) LMS.

If you’re a one-man shop or have limited budgeting and skills, this is the instance for you. AWS offers amazing tools for scheduled snapshots and since it’s a monolithic approach, all of your data will be stored within one instance.

Moodle Monolithic #

If you decide to go with the monolithic approach, please, use CloudFlare to help with caching and security. Cloudflare has the option to enforce HTTPS only, proxy the traffic through their services, enforce firewall rules, and prevent DDoS attacks.

Here’s what that would look like:

Monolithic App

Monolithic Design Download #

Here’s the file download for the Monolithic diagram:


Auth #

IT controls are critical for creating a safe environment for your admins and end-users. One approach to reduce IT overhead and enforce consistent authentication across your domain is to implement SSO/SAML with a common directory, as the single source. In my org, that’s Google. Google Workspaces acts as our source of truth for employees and students. We assign descriptions, OU-based security policies, and data loss prevention policies by grouping. Utilizing Google, we can control their access, phishing attempts, and hundreds of other policies to ensure a safe online environment with a single point of management.

Utilizing a single point of auth also makes meeting cyber insurance policy easier. Enforcing MFA/2FA only needs to be done on a single account, but affects the twenty-plus environments that utilize Google for SSO.

An additional benefit to utilizing a domain-based authentication method is the ability to limit access to an explicit domain, which means the only point of failure would be from a compromised account. The only way to have a compromised account would be by an attacker gaining access to the “something you have”, “something you are” and “something you know”.

  • Something you have – 2FA – Text
  • Something you are – Biometric (face, fingerprint)
  • Something you know – password

All of these variables would have to be breached to gain access to a domain-controlled account.

Cloudflare Distribution & Security #

Regardless of your backend architecture, I am a true believer in utilizing the tools that Cloudflare offers. Most web applications can benefit from Cloudflare’s FREE account! Below are some very brief reasons why I would utilize Cloudflare’s offerings with most of my distributions.

DDoS Support #

By default, Cloudflare offers an out-of-box option to enable “Under Attack Mode”, which challenges every user visit with a JavaScript request to verify human interaction. All other traffic will be dumped.

Proxy #

By default, Cloudflare is built to proxy all DNS records through their servers. If you enter an A record to navigate to 1.2.3.4, Cloudflare will proxy it through their servers (44.33.22.11) and route it to your resource IP 1.2.3.4, not displaying the true IP to your end-users (potential attackers).

Firewall #

Are you getting flooded with Tor requests? Bots attempting to access/scan your site? Looking to block countries from accessing your site? Cloudflare allows you to set these security policies in seconds.

Does this require a paid account? No. Actually, it’s free to enable these settings, but you do need to upgrade if you want to see the detailed logs.

Phase II – Multi-Cloud #

Phase II of this project is coming. I’m building a Muli-cloud architecture to load balance between AWS and GCP with a 3rd party external load balancer.

Powered by BetterDocs

Leave a Reply

Your email address will not be published.