The exact steps and configuration may vary based on your specific requirements and the services you choose to use with AWS. It's essential to always adhere to AWS's Well-Architected Framework when creating your VPC.
In this scenario, we'll be creating a VPC using the AWS console. The VPC will include two availability zone with public and private subnets to restrict inbound connection to our resources such as EC2 running in the private subnet. We will only allow inbound connections to this private subnet through a Bastion Host instance for security reasons.
Project Goals
To create a secure, scalable, and highly available cost-efficient VPC
To isolate resources in our private subnet for security reasons
Allow connection from users only from the Bastion Host EC2 instance
Architecture
Figure: 1 VPC Architecture
Requirement
Design the VPC Architecture: Determine the requirements of your application, including the number of subnets, availability zones, IP addressing scheme, and connectivity requirements. Decide on the CIDR (Classless Inter-Domain Routing) block for your VPC.
Create the VPC: Log in to the AWS Management Console and navigate to the VPC service. Click on "Create VPC" and provide the necessary details, including the CIDR block for the VPC. Enable DNS hostnames and DNS resolution if required.
Create Subnets: Divide your VPC into multiple subnets across different availability zones. Each subnet should be associated with an availability zone. Click on "Create Subnet" and provide the necessary details, including the CIDR block for the subnet and the availability zone.
Configure Route Tables: Create separate route tables for each subnet to define the routing within the VPC. By default, a main route table is created, but you may need to create additional ones. Associate each subnet with the appropriate route table.
Set up Internet Gateway (IGW): Create an Internet Gateway and attach it to your VPC. This allows instances in your subnets to access the internet. Edit the route tables to include a route that points to the IGW for internet-bound traffic.
Configure Network Address Translation (NAT) Gateways: If you have private subnets that need outbound internet access, create and configure NAT Gateways. Associate each private subnet with its respective NAT Gateway and update the route tables accordingly.
Implement Security Groups and Network ACLs: Set up appropriate security groups and network access control lists (ACLs) to control inbound and outbound traffic at the instance and subnet levels. Define the necessary rules based on your application's requirements.
Implement Multi-Availability Zone Deployment: Deploy your resources across multiple availability zones within your VPC to achieve high availability and fault tolerance. Distribute instances and databases across different subnets and availability zones for redundancy.
DIY
Use the AWS console to configure the VPN in the following steps
Step 1: Configure the VPC
Open the VPC console
Click on "Your VPCs" on the left-hand panel
Click "Create VPC" button in the top right hand corner
Name the VPC "Demo VPC"
Set the IPv4 CIDR block to 10.0.0.0/16 (that's 65,536 IP Addresses we are assigning to our VPC)
Leave everything the same and click "VPC" at the bottom right hand corner. DONE
Figure: 2 VPC configuration
TIP: Filter your VPC console with the "Demo VPC" we just created. This hides components already created for your default VPC. Shown in the screenshot below.
Step 2 - Create the Subnets
We are creating 4 subnets - 2 Public Subnets in separate Availability Zone (AZ) and 2 Private Subnets in the same separate AZs
Open the VPC console
Click on "Subnets" on the left-hand panel
Click "Create subnet" button in the top right hand corner
Click the drop down and select the VPC named "Demo VPC" that we created in Step 1
Name Subnet 1 "Public Subnet A"
Choose an AZ "a" for whatever region you are within. For example: "us-east-1a"
Set the IPv4 CIDR block to 10.0.0.0/24 [10.0.0.0 - 10.0.0.255] (that's 256 IP addresses)
Then click the button "Add new subnet" at the bottom left hand corner. We will complete similar steps shown in 5-7 for the other 3 subnets we will create.
Name Subnet 2 "Public Subnet B", Choose AZ "b", Set the IPv4 CIDR block to 10.0.1.0/24 [10.0.1.0 - 10.0.1.255], click "Add new subnet" at the bottom left hand corner
Name Subnet 3 "Private Subnet A", Choose AZ "a" (same AZ as Subnet 1), Set the IPv4 CIDR block to 10.0.16.0/20 [10.0.16.0 - 10.0.31.255] (that's 4096 IP addresses), click "Add new subnet" at the bottom left hand corner
Name Subnet 4 "Private Subnet B", Choose AZ "b" (same AZ as Subnet 2), Set the IPv4 CIDR block to 10.0.32.0/20 [10.0.32.0 - 10.0.47.255]
Click the "Create subnet" button in the bottom right hand corner. DONE
Figure 3: Subnet settings
Step 3 - Create Internet Gateway and Route Tables
Create Internet Gateway
Open the VPC Console
Click on "Internet gateways" on the left-hand panel
Click "Create internet gateway" button in the top right hand corner
Name the internet gateway "Demo Internet Gateway"
Click "Create internet gateway" in the bottom right hand corner. DONE
Figure 4: Internet gateway configuration
Attach the Internet Gateway to "Demo VPC"
Go back to the internet gateway dashboard
Select the newly created internet gateway called "Demo Internet Gateway"
Click the "Actions" dropdown button at the top right hand corner and click "Attach to VPC"
Figure 5: Attaching the Internet gateway
Select the "Demo VPC" in the drop down and click "Attach internet gateway" button at the bottom right hand corner DONE
Figure 5: Selecting the Internet gateway to attach
Create the Route Tables
A default route table has already been created for our created VPC. However, we will not use the default route table associated with our VPC. We will 3 route tables of our own (Public Route Table, Private Route Table A, Private Route Table B)
Open the VPC Console
Click on "Route tables" on the left-hand panel
Click "Create route table" button in the top right hand corner
Name the 1st route table "Public Route Table", select "Demo VPC", click "Create route table" button at the bottom right hand corner.
Name the 2nd route table "Private Route Table A", select "Demo VPC", click "Create route table" button at the bottom right hand corner.
Name the 3rd route table "Private Route Table B", select "Demo VPC", click "Create route table" button at the bottom right hand corner. DONE
Assign Subnets to Route Tables
Assign Public Subnets to "Public Route Table"
Go back to the route tables dashboard
Select "Public Route Table"
Click the "Actions" dropdown button at the top right hand corner and click "Edit subnet associations"
Select "Public Subnet A" and "Public Subnet B" then click "Save associations" button in the bottom right hand corner
Assign Private Subnet to "Private Subnet A"
Go back to the route tables dashboard
Select "Private Route Table A"
Click the "Actions" dropdown button at the top right hand corner and click "Edit subnet associations"
Select "Private Subnet A" and click "Save associations" button in teh bottom right hand corner
Assign Private Subnet to "Private Subnet B"
Go back to the route tables dashboard
Select "Private Route Table B"
Click the "Actions" dropdown button at the top right hand corner and click "Edit subnet associations"
Select "Private Subnet B" and click "Save associations" button in teh bottom right hand corner DONE
Update Public Route Table to make "Public Subnet A" and "Public Subnet B" Public
Go back to the route tables dashboard
Select "Public Route Table"
Click the "Actions" dropdown button at the top right hand corner and click "Edit routes"
Click "Add route", for Destination route select "0.0.0.0/0", for Target select "Internet Gateway" and select "Demo Internet Gateway", click "Save changes" button at the bottom right hand corner. DONE
Step 4 - Create NAT Gateway (NATGW)
For high availability we will create 2 NATGW. One in each AZ (One in Public Subnet A and One in Public Subnet B)
Open the VPC Console
Click on "NAT gateways" on the left-hand panel
Click "Create NAT gateway" button in the top right hand corner
Name the 1st NATGW "NATGW A", Select "Public Subnet A" that we created in a previous step, click "Allocate Elastic IP" button, and click "Create NAT gateway" button in the bottom right hand corner
Go back to the NATGW dashboard and click "Create NAT gateway" button in the top right hand corner
Name the 2nd NATGW "NATGW B", Select "Public Subnet B" that we created in a previous step, click "Allocate Elastic IP" button, and click "Create NAT gateway" button in the bottom right hand corner DONE
Connect Route Tables to NATGW
Open the VPC Console
Click on "Route tables" on the left-hand panel
Select "Private Route Table A"
Click the "Actions" dropdown button at the top right hand corner and click "Edit routes"
Click "Add route", for Destination route select "0.0.0.0/0", for Target select "NAT Gateway" and select "NATGW A", click "Save changes" button at the bottom right hand corner.
Go back to the Route tables dashboard
Select "Private Route Table B"
Click "Actions" dropdown button at the top right hand corner and click "Edit routes"
Click "Add route", for Destination route select "0.0.0.0/0", for Target select "NAT Gateway" and select "NATGW B", click "Save changes" button at the bottom right hand corner. DONE
NOTE: The default NACL allows all inbound and all outbound. We will not change the default NACL settings in this lab. Found in VPC console.
NACL Inbound Rules
NACL Outbound Rules
Step 5 - Create Bastion Host
Note: For high availability, it would be best to have one bastion host in each AZ. However, for simplicity, we will only create one Bastion Host - located in Public Subnet A (as shown in the "VPC Architecture Design" at the beginning of this ReadMe
Open the EC2 console
Click "Instances" on the left-hand panel
Click "Launch instances" button in the top right hand corner
Name the instance "Bastion Host"
Keep AMI as Linux, Keep architecutre 64-bit(x86), Keep instance type t2 micro (to stay within the free tier)
Key Pair: Select "Proceed without a key pair (Not recommended)" In this lab we will be using the EC2 Connect to SSH into our instance and to test our architecture. Thus, we will not need a key pair here. However, if you want to further secure your instance and if use your own SSH client then a key pair will be needed.
Edit Network Settings: Change the Default VPC to "Demo VPC", Change subnet to "Public Subnet A", Enable auto-assign public IP.
Edit Security Group (SG): Select "Create security group", name the SG "BastionHostSG", Description:"Security group for Bastion Host" (Optional), Allow SSH from anywhere, 0.0.0.0/0
Click "Launch instance" button at the bottom right hand corner DONE
Step 6 - Create Private EC2 Instances
Create Private Insance in Private Subnet A
Go back to the EC2 console
Click "Launch instances" button in the top right hand corner
Name the instance "Private Instance A"
Keep AMI as Linux, Keep architecutre 64-bit(x86), Keep instance type t2 micro (to stay within the free tier)
Key Pair: Click "Create new key pair", Name the keypair "VPCKeyPair", keep everything else default and click "Create key pair" button at the bottom right hand corner - the private key pair file will be downloaded to your computer. Make sure to store this file in a known place on your computuer. We will have to use the contents in this file a later step
Edit Network Settings: Change the Default VPC to "Demo VPC", Change subnet to "Private Subnet A", DO NOT enable auto-assign public IP (this is our private instance and it should not have a public IP address)
Edit Security Group (SG): Select "Create security group", name the SG "PrivateInstanceSG", Description: "Security group for private instance A and private instance B" (Optional), Allow SSH from Custom: Select the SG of the Bastion Host
Click "Launch instance" button at the bottom right hand corner DONE
Create Private Instance in Private Subnet B
Go back to the EC2 console
Click "Launch instances" button in the top right hand corner
Name the instance "Private Instance B"
Keep AMI as Linux, Keep architecutre 64-bit(x86), Keep instance type t2 micro (to stay within the free tier)
Key Pair: In the dropdown select the keypair "VPCKeyPair"
Edit Network Settings: Change the Default VPC to "Demo VPC", Change subnet to "Private Subnet B", DO NOT enable auto-assign public IP (this is our private instance and it should not have a public IP address)
Edit Security Group (SG): Click "Select existing security group", Select the "PrivateInstanceSG" SG,
Click "Launch instance" button at the bottom right hand corner DONE
Test System
We are going to test our infrastructure to make sure we can properly SSH into our Bastion host and our private EC2 instances. We will also make sure our Bastion host and our private instances have access to the internet via the route tables, the internet gateway, and the NAT gateway (private instances only)
Step 7 - SSH into Bastion Host and into Private Instances to Test Connectivity
1. SSH into our Bastion Host using EC2 Connect
EC2 connect is an AWS feature that allows us to easily and securely SSH into our instances without the need of an external SSH client like Putty
Open the EC2 console
Select the "Bastion Host"
Click the "Connect" button at the top right of the page
Click "Connect" button at the bottom right of the screen
If you get a screen like the one below then you have successfully SSH into your Bastion host DONE
Test if the Bastion Host has access to the internet
Type "ping www.google.com" and hit Enter into the terminal window. You should receive feedback as shown in the screen shot below.
Make sure to hold Ctrl and press "C" to stop the ping.
If your outcome is similar to what's shown below then your Bastion host has access to the internet DONE
SSH into Private Instance A from our Bastion Host
Type "nano VPCKeyPair.pem" and hit Enter (nano command allows us to create and store a text file within the terminal. We need to upload our VPCKeyPair so we can reference it when we SSH into the Private Instance)
Go to the VPCKeyPair.pem file saved on your computer. Open it. Copy ALL the content. Paste it into the terminal (hint hold ctrl and shift and press "v")
Hold ctrl and press "X" to exit. Save the content by press Y for yes. Then press "Enter".
Our uploaded VPCKeyPair.pem text file is formated for others to access it (current chmod access code is 644 - "chmod 644"). It is required that your private key files are NOT accessible by others. Therefore, we must change the access permissions for only us to have access ("chmod 400"). For that we will use the "chmod" command
Type "chmod 400 VPCKeyPair.pem" and press Enter. This remove access for others and only allows read access to us.
In a seperate tab, go to the EC2 console
Select "Private instance A" and copy the private IP address as shown in the screenshot below. We will need to reference this IP address to SSH into it. Go back to the EC2 Connect Window terminal.
Now we are ready to SSH into our Private Instance A via our Bastion host by using our keypair
Type "ssh ec2-user@INSERT YOUR PRIVATE IP ADDRESS YOU JUST COPIED -i VPCKeyPair.pem". Hit Enter. As an example Your code should look like this (your IP address will be different): "ssh ec2-user@10.0.19.224 -i VPCKeyPair.pem"
A prompt will come up asking if your are sure you want to connect. Type "yes" and you should have successfully SSH into your Private Instance A via your bastion host. DONE
Test if Private Instance A has access to the internet
Type "ping www.google.com" and hit Enter into the terminal window. You should receive feedback as shown in the screen shot below.
Make sure to hold Ctrl and press "C" to stop the ping.
If your outcome is similar to what's shown below then your Bastion host has access to the internet DONE
Repeat the Steps 3-4 for Private Instance B if you want to SSH into it and if you want to test if it has access to the internet.NOTE: Remember to use the correct private IP address when executing the "ssh ec2-user@10.0.19.224 -i VPCKeyPair.pem" command
Clean Up
Step 8 - Delete all of the Instances - In the EC2 Console
Step 9 - Delete all NAT gateway (Make sure to delete BOTH NATGW A and NATGW B) - In the VPC Console
*Must wait until the EC2 instances and the NAT gateway to COMPLETELY Delete/Terminate before Step 10 (shouldn't take longer than 5-10mins)
Step 10 - Delete Demo VPC - In the VPC Console | FINAL STEP
Deleting the VPC will delete all of the associated subnets, internet gatways, route tables, security groups, etc
In conclusion, creating an AWS VPC (Virtual Private Cloud) offers numerous advantages for organisations. It provides a secure and isolated network environment, enabling strict control over access and data protection. The scalability and flexibility of VPCs allow businesses to easily adjust resources based on demand, ensuring optimal performance and adaptability to changing workloads. With the ability to distribute resources across multiple availability zones, VPCs enhance reliability and fault tolerance. Cost optimisation is achieved through efficient resource allocation and payment models aligned with usage. VPCs also facilitate seamless connectivity and integration with other AWS services, on-premises infrastructure, and external networks, promoting hybrid cloud scenarios and data transfer. Lastly, VPCs simplify network management, enabling centralized control and efficient administration. Overall, creating an AWS VPC empowers organizations to build robust, secure, and scalable infrastructure that meets their specific needs and supports business growth in the cloud.
Comentarios