Michal Z Gow caricature

Michal Z Gow - Cost-efficient Drupal hosting

Last updated: 7 February 2023

Solutions architect, team lead, Drupal evangelist and AI enthusiast in Edinburgh, Scotland

TL:DR The most cost-efficient hosting solution for a Drupal website with under ~15k/day authenticated users and under ~150k/day anonymous users is a VPS (e.g. FastHosts). You can start with as little as £5/month, having a free Cloudflare CDN as a 443-port gatekeeper and acme.sh as your free certificate automation. When your project grows, or you need more security features, use the $20/month Cloudflare service and 1£/month bastion as SSH port gatekeeper. If you can live with the SLA of the VPS provider (probably yes), chances are you will never need more. However, should you need (almost) 100% uptime/fast recovery and (almost) 100% security, your best bet is containers – Amazon Web Services (AWS) Elastic Beanstalk/CloudFormation and/or K8s on Google Compute Engine (GCE) give you all from load balancers, scalable infrastructure in different zones, autoscaling DB storage and bastions. You can go for serverless AWS Fargate as well, which gives you a higher price tag and a bit more fun.

The task

Drupal requires a PHP interpreter, a web server, and a database to run. It can run on shared hosting as well as serverless solutions, the main considerations being three: uptime, security and throughput (how many requests the hosting is able to serve efficiently).

From the practical point of view, the trade-offs for each of the factors can be calculated as a ratio between potential damage and the price of control in a risk assessment table. In this article, I’ve grouped the results of such a calculation into two categories and suggested an appropriate/efficient hosting solution. The reasoning behind the grouping is, that the ratio between damage and control has a very sharp curve, allowing to do a clear-cut when a more complex solution is required.

The three factors and solutions

Uptime

All the big hosting/cloud providers guarantee an average of 99.95% uptime of an instance. That accounts for approximately 30 minutes of downtime a month. However, all you get in case of downtime is a discount on your monthly bill. That would surely not pay for the lost revenue of a busy e-shop. And downtime lasting several hours isn’t that rare even at the biggest cloud providers.

Controlling for uptime is the most expensive endeavour because you must have a flexible and available infrastructure in different zones (datacentres) on demand.

Security

While all the nowadays hosting solutions offer encrypted storage and firewalls, the majority of the risk lay in human error/system misconfiguration, zero-day exploits and brute-force attacks.

Controlling for security is the second on the pricelist of controls because the infrastructure doesn’t need to be as flexible and distributed, but additional resources are required.

Throughput

Controlling for uptime is indeed also controlling for throughput – if your website can stay online even under attack or in case of a disaster, it has sufficient throughput indeed. However, on the other hand, you can increase throughput without increasing uptime security and save a lot of money.

Controlling for just a throughput is not very expensive, thus as a rule of thumb, leave this decision to the last step. It might take care of itself when controlling for the rest.

The solutions

99.95% uptime websites with up to 150k visitors/day

Starting with uptime, the majority of webs can accept some downtime. Especially when you can control the outgoing message (e.g. ‘Under maintenance’) or you are not alone (the whole cloud is down). If you are not running extremely sensitive services (banking app, flight control), you probably do not need to go beyond the SLAs of cloud providers.

Hence, the consideration is about security and throughput.

No VPS solution with a basic security

When you pair VPS with a free tier of Cloudflare CDN and your SSL certificate is managed via acme.sh, you can have formidable Drupal hosting even on a budget. The key ingredient here is the CDN network, which allows you to run a website even if your Drupal backend is down (migrating), giving you the ability to upgrade hosting without downtime. Additionally, CDN is your firewall for port 443 (you can lock your server’s IP to those of Cloudflare only to prevent any attack on the webserver level).

Example for £5/month at FastHosts (2 vCPU, 2GB RAM)

This is a typical small community server which has a limited number of editors and user profiles are mainly used for limiting access to content.

  • Serve ~1k authenticated members/day (2 concurrent requests * 60 minutes * 8 hours; 256MB PHP Memory Limit).
  • Depending on Cloudflare settings it can sustain around ~25k visitors/day (50 concurrent requests * 60 minutes * 8 hours).
  • Recommended stack: Dockerised NGINX + PHP + MariaDB.
Example for £18/month at FastHosts (8 vCPU, 24GB RAM)

This is a CMS of an organisation, e.g., a university resources platform. It can provide concurrent access for dozens of editors; it would enable users to manage their own content and use Views without slowing the site down.

  • Serve ~15k authenticated members/day (30 concurrent requests * 60 minutes * 8 hours; 512MB PHP Memory Limit).
  • Depending on Cloudflare settings it can sustain around ~150k visitors/day (300 concurrent requests * 60 minutes * 8 hours).
  • Recommended stack: Dockerised NGINX + PHP + MariaDB.

Security-critical VPS solution

Websites with sensitive content, especially hosting private user data, are expected to go one step further in their security protection. There are two steps widely adopted, which add a layer of security:

  • SSH Bastion. For an additional £1/month you can have a 1 vCPU/512GB tiny machine, which can serve as a Bastion server for your main web server. When you have Bastion, just add a firewall rule to the main server preventing any access outside Bastion’s IP. That does prevent any brute force attacks on your SSH access point on the web server.
  • Cloudflare paid service. While even the free Cloudflare service adds performance (by distributing static content), its power stems from security rules available in the paid version. If used correctly, the Cloudflare CDN itself can prevent almost all the known Drupal security attacks and keep your site available against the biggest DDoS attacks.

Fast recovery/no uptime websites with huge, authenticated community

If your users are mainly anonymous, and you hit the bandwidth limit, instead of scaling the hosting you probably should look into static website generators and headless Drupal. Drupal allows you to separate authenticated and anonymous users via domain (subdomain) names, and you can host your static site for anonymous users directly on the Cloudflare platform for as little as $20/month with unlimited free traffic.

For the rest of us, a solution which scales is a must. The usual contemporary solution is cloud hosting. The first and second largest providers are Amazon Web Services (AWS) and Google Compute Engine (GCE). However, the premium solutions come at a premium price and premium complexity.

Architecture

To ensure the architecture delivers both scalability/uptime and security, the solution requires at the minimum the following services:

  • Load balancer,
  • Webserver and PHP service container (in 2 zones),
  • Scalable database solution,
  • Bastion server,
  • Container storage.

The minimum architecture does not deliver the same speed and efficiency as the monolithic web server – added complexity means less efficiency – but it scales horizontally, which means if you need the speed of 12 core processor, you have it in approx. 18 containers spanned over several zones.

Prices

The monthly prices below are estimates for the initial 2 zones setup, comparable to a 4 vCPU 16GB RAM monolithic server. The calculation itself varies a lot depending on setup and data usage. Unlike the majority of VPS providers, cloud providers charge for the data traffic both internally (between zones) and externally (to the Internet).

Data traffic is calculated for 15k authenticated users/day (the threshold between VPS and cloud) when each user sees 10 pages, each 3 MB in size.

  • Data transfers | $160 AWS, $180 GCE
  • Load balancer | $35 AWS, $85 GCE
  • Webserver and PHP service container 2x | $20 AWS, $15 GCE
  • Scalable database | $50 AWS, $ 60 GCE
  • Bastion server | $7 AWS, Free
  • Storage | $6 AWS, Free

The starting price total is ~$278/month for AWS and ~$340 for GCE. As you can see, the money is in the data transfers. While you can try and save some money by the usage of 3rd party storage and advanced caching, this adds additional complexity to the project, when money saved in fees is spent on management and complexities in development.

The architecture of cloud solutions seems extremely flexible, but in practice, it goes down to the following:

In AWS are available two approaches, (1) Elastic containers managed via Beanstalk and/or CloudFormation; and (2) Serverless computed engine managed via AWS Fargate. While the security is similar (the same OSs run in the containers), the management is slightly easier in Fargate but the pricing is better when using Beanstalk (prices above are calculated for Elastic Beanstalk).

GCE offers K8s, which is a less vendor-lock approach, but it is slightly pricier.

Contacts

michal.gow [at] outlook [dot] com