In this laboratory, we going to create a VPC from scratch, one private sub-network and one public sub-network.
Let analyze a simple user case, we need to have a web server application with back-end database.
We going to need a VPC, two subnetworks one public for the web facing application and a private network for the database, we also need a IGW (Internet Gateway) for the public network and a NAT gateway for the private network, for installing, upgrading or patching.
The architecture diagram will look like this.
- AWS Account
- Linux Basic command knowlage
- Go to VPC in you AWS management Console
2. Go to Your VCS's
3. Click on Create VPC
4. Give it a name, and a CIDR block, I'm going to use 10.0.0.0/16, if you want to know more about CIDR (Classless Inter-Domain Routing) you can check the wikipedia page here
Click on create VPC
You will get all the information of the VPC
5. Now lets create the sub-networks, first create the private subnetwork, this network will be for the database in the user case, click on "Subnets"
and click on create subnet
Select the VPC ID of the VPC you just created
Give a name to the subnet and select the Availability Zone
Click on the Add new subnet to add another subnet, this time we going to add the public subnet.
Add the new subnet, give it a name, put a different AZ, a CIDR Block different than the private subnet inside the VPC.
And click on Create subnet
In the subnets page, click on the public Subnet ID
Click on "Actions" and select "Modify auto-assign IP settings"
Enable auto-assign public IPv4 address checkbox and save.
6. Create a IGW go to Internet Gateways
7. Click on Create internet gateway
8. Give it a name and create the intenet gateway
9. In the next screen click on Actions and "Attach to VPC"
Select the VPC we created and click on Attach iternet gateway
10. Create the NAT Gateway, firs we going to need an EIP, go to EC2
Go to Elastic IPs
Click on Alocate Elastic IP address
Click on Allocate
Go to VPC
Click on NAT Gateways
And Create NAT Gateway
Give it a name, select the public sub-network (the NAT Gateway needs to be on a public sub-network and fromt there it will serve to the private network, and finally selec the Elastic IP we create earlier.
11. Now lets connect the routes, from the VPC Service go to Route Tables
Click on create route table
Give it a name and select the VPC you created
Select the Route table and go to the tab Routes
Click on Edit Routes, and click on add route
On Destination put 0.0.0.0/0 and Target put NAT Gateway and select the nat gateway we created.
Save the routes.
Repeat the process this time we goint to create a new route table for the public subnetwork
We select the route and in the Route tab we edit the routes.
We add again a new route, but this time we going to add the internet Gateway
Save the route and now, we need to tell the subnets what route to use.
Go to VPC
Click on Subnets
Select the public subnet, and in the tab of "Route table", click on Edit route table association
Select the public subnet we created and save the changes
Now we do the same thing, with the private sub-network, but this time we associate the network with the private route.
Save the changes and that's it! you have a public and private sub-networks
In the public network you can launch instances, if the security group and the NACL permit incoming access you will have both incoming and outgoing access.
In the private network you can stablish outgoing connections to internet to update and install packages, but the NAT gateway will deny all incoming traffic from outside.
As they are in the same VPC the private and public network see and communicate with each other.
So let's try it.
13. Testing, lets launch two instances, one in the public sub-network and other in the private sub-network to test the connectivity.
Go to EC2 service
Go to instances
And click on Launch instance
Select the Amazon Linux 2 AMI 64-bits
Select the t2.micro and click on Next: Configure Instance Details
In the next page, select 1 instance, select the VPC we create, and in the subnet select the public subnet, from here, instead of next, click on "Review and Launch"
In the next page review the information and click on Launch.
Create a new key pair, give it a name and Download the Key Pair, and then launch the instance.
Go to View Instances and launch another instance, this time put it in the private subnetwork, and chose the same key pair.
Go to view instances again, and wait until the status of bouth is running.
Put a name in the instances, you can identify the instances with who have the public IP
Ok, now lets test the connectivity, as the private instance does not have external connection, we cannot connect via SSH directly so we need to use the public instance, first copy the pem file to the public instance
Select the public instance ID and copy the IPv4 address
Change the permissions to the pem file
Copy the pem file to your public instance
Connect to your public instance
ssh -i "private-public.pem" firstname.lastname@example.org
In your AWS Management Console, in EC2 instance, click on the Instance ID of the private instance and copy the private IP
Go to the location of the pem file and connect to the private instance
sudo su - cd /tmp chmod 400 private-public.pem
Connect to the private instance
ssh -i "private-public.pem" email@example.com
Make some ping to google.com and see if you have connectivity to internet.
ping www.google.com PING www.google.com (188.8.131.52) 56(84) bytes of data. 64 bytes from ord37s03-in-f4.1e100.net (184.108.40.206): icmp_seq=1 ttl=100 time=21.0 ms 64 bytes from ord37s03-in-f4.1e100.net (220.127.116.11): icmp_seq=2 ttl=100 time=21.1 ms 64 bytes from ord37s03-in-f4.1e100.net (18.104.22.168): icmp_seq=3 ttl=100 time=21.0 ms 64 bytes from ord37s03-in-f4.1e100.net (22.214.171.124): icmp_seq=4 ttl=100 time=20.8 ms 64 bytes from ord37s03-in-f4.1e100.net (126.96.36.199): icmp_seq=5 ttl=100 time=20.7 ms 64 bytes from ord37s03-in-f4.1e100.net (188.8.131.52): icmp_seq=6 ttl=100 time=20.8 ms 64 bytes from ord37s03-in-f4.1e100.net (184.108.40.206): icmp_seq=7 ttl=100 time=20.9 ms 64 bytes from ord37s03-in-f4.1e100.net (220.127.116.11): icmp_seq=8 ttl=100 time=21.0 ms ^C --- www.google.com ping statistics --- 8 packets transmitted, 8 received, 0% packet loss, time 7010ms rtt min/avg/max/mdev = 20.792/20.954/21.190/0.215 ms
Great! you have your public and private sub-networks!
In the next post we going to go deeper into AWS and they services.
- From EC2 instances, select and Terminate the instances
2. From VPC, NAT Gateways, select and delete the NAT gateway, wait until the status is "deleted"
3. From VPC, Elastic IP, Release the Elastic IP address
4. From VPC, Internet Gateway detach from the VPC
Then select and delete the Internet Gateway
5. From the VPC, Subnets, delete the private and public subnets
6. From VPC, select the VPC we create for the lab and click on Actions and then Delete VPC