top of page
Search
  • Writer's pictureVictor Joshua

How to Create a Highly Available AWS VPC

The exact steps and configuration may vary based on your specific requirements and the services you choose to use with AWS. It's essential to always adhere to AWS's Well-Architected Framework when creating your VPC.


In this scenario, we'll be creating a VPC using the AWS console. The VPC will include two availability zone with public and private subnets to restrict inbound connection to our resources such as EC2 running in the private subnet. We will only allow inbound connections to this private subnet through a Bastion Host instance for security reasons.


Project Goals

  • To create a secure, scalable, and highly available cost-efficient VPC

  • To isolate resources in our private subnet for security reasons

  • Allow connection from users only from the Bastion Host EC2 instance

Architecture

Figure: 1 VPC Architecture


Requirement


  • Design the VPC Architecture: Determine the requirements of your application, including the number of subnets, availability zones, IP addressing scheme, and connectivity requirements. Decide on the CIDR (Classless Inter-Domain Routing) block for your VPC.


  • Create the VPC: Log in to the AWS Management Console and navigate to the VPC service. Click on "Create VPC" and provide the necessary details, including the CIDR block for the VPC. Enable DNS hostnames and DNS resolution if required.


  • Create Subnets: Divide your VPC into multiple subnets across different availability zones. Each subnet should be associated with an availability zone. Click on "Create Subnet" and provide the necessary details, including the CIDR block for the subnet and the availability zone.


  • Configure Route Tables: Create separate route tables for each subnet to define the routing within the VPC. By default, a main route table is created, but you may need to create additional ones. Associate each subnet with the appropriate route table.


  • Set up Internet Gateway (IGW): Create an Internet Gateway and attach it to your VPC. This allows instances in your subnets to access the internet. Edit the route tables to include a route that points to the IGW for internet-bound traffic.


  • Configure Network Address Translation (NAT) Gateways: If you have private subnets that need outbound internet access, create and configure NAT Gateways. Associate each private subnet with its respective NAT Gateway and update the route tables accordingly.


  • Implement Security Groups and Network ACLs: Set up appropriate security groups and network access control lists (ACLs) to control inbound and outbound traffic at the instance and subnet levels. Define the necessary rules based on your application's requirements.


  • Implement Multi-Availability Zone Deployment: Deploy your resources across multiple availability zones within your VPC to achieve high availability and fault tolerance. Distribute instances and databases across different subnets and availability zones for redundancy.


DIY

Use the AWS console to configure the VPN in the following steps


Step 1: Configure the VPC

  • Open the VPC console

  • Click on "Your VPCs" on the left-hand panel

  • Click "Create VPC" button in the top right hand corner

  • Name the VPC "Demo VPC"

  • Set the IPv4 CIDR block to 10.0.0.0/16 (that's 65,536 IP Addresses we are assigning to our VPC)

  • Leave everything the same and click "VPC" at the bottom right hand corner. DONE


Figure: 2 VPC configuration


TIP: Filter your VPC console with the "Demo VPC" we just created. This hides components already created for your default VPC. Shown in the screenshot below.



Step 2 - Create the Subnets

We are creating 4 subnets - 2 Public Subnets in separate Availability Zone (AZ) and 2 Private Subnets in the same separate AZs

  1. Open the VPC console

  2. Click on "Subnets" on the left-hand panel

  3. Click "Create subnet" button in the top right hand corner

  4. Click the drop down and select the VPC named "Demo VPC" that we created in Step 1

  5. Name Subnet 1 "Public Subnet A"

  6. Choose an AZ "a" for whatever region you are within. For example: "us-east-1a"

  7. Set the IPv4 CIDR block to 10.0.0.0/24 [10.0.0.0 - 10.0.0.255] (that's 256 IP addresses)

  8. Then click the button "Add new subnet" at the bottom left hand corner. We will complete similar steps shown in 5-7 for the other 3 subnets we will create.

  9. Name Subnet 2 "Public Subnet B", Choose AZ "b", Set the IPv4 CIDR block to 10.0.1.0/24 [10.0.1.0 - 10.0.1.255], click "Add new subnet" at the bottom left hand corner

  10. Name Subnet 3 "Private Subnet A", Choose AZ "a" (same AZ as Subnet 1), Set the IPv4 CIDR block to 10.0.16.0/20 [10.0.16.0 - 10.0.31.255] (that's 4096 IP addresses), click "Add new subnet" at the bottom left hand corner

  11. Name Subnet 4 "Private Subnet B", Choose AZ "b" (same AZ as Subnet 2), Set the IPv4 CIDR block to 10.0.32.0/20 [10.0.32.0 - 10.0.47.255]

  12. Click the "Create subnet" button in the bottom right hand corner. DONE




Figure 3: Subnet settings


Step 3 - Create Internet Gateway and Route Tables

Create Internet Gateway

  1. Open the VPC Console

  2. Click on "Internet gateways" on the left-hand panel

  3. Click "Create internet gateway" button in the top right hand corner

  4. Name the internet gateway "Demo Internet Gateway"

  5. Click "Create internet gateway" in the bottom right hand corner. DONE


Figure 4: Internet gateway configuration


Attach the Internet Gateway to "Demo VPC"

  1. Go back to the internet gateway dashboard

  2. Select the newly created internet gateway called "Demo Internet Gateway"

  3. Click the "Actions" dropdown button at the top right hand corner and click "Attach to VPC"


Figure 5: Attaching the Internet gateway


Select the "Demo VPC" in the drop down and click "Attach internet gateway" button at the bottom right hand corner DONE


Figure 5: Selecting the Internet gateway to attach


Create the Route Tables

A default route table has already been created for our created VPC. However, we will not use the default route table associated with our VPC. We will 3 route tables of our own (Public Route Table, Private Route Table A, Private Route Table B)

  • Open the VPC Console

  • Click on "Route tables" on the left-hand panel

  • Click "Create route table" button in the top right hand corner

  • Name the 1st route table "Public Route Table", select "Demo VPC", click "Create route table" button at the bottom right hand corner.


  • Name the 2nd route table "Private Route Table A", select "Demo VPC", click "Create route table" button at the bottom right hand corner.


  • Name the 3rd route table "Private Route Table B", select "Demo VPC", click "Create route table" button at the bottom right hand corner. DONE


Assign Subnets to Route Tables

Assign Public Subnets to "Public Route Table"

  1. Go back to the route tables dashboard

  2. Select "Public Route Table"

  3. Click the "Actions" dropdown button at the top right hand corner and click "Edit subnet associations"



Select "Public Subnet A" and "Public Subnet B" then click "Save associations" button in the bottom right hand corner



Assign Private Subnet to "Private Subnet A"

  1. Go back to the route tables dashboard

  2. Select "Private Route Table A"

  3. Click the "Actions" dropdown button at the top right hand corner and click "Edit subnet associations"

  4. Select "Private Subnet A" and click "Save associations" button in teh bottom right hand corner


Assign Private Subnet to "Private Subnet B"

  1. Go back to the route tables dashboard

  2. Select "Private Route Table B"

  3. Click the "Actions" dropdown button at the top right hand corner and click "Edit subnet associations"

  4. Select "Private Subnet B" and click "Save associations" button in teh bottom right hand corner DONE


Update Public Route Table to make "Public Subnet A" and "Public Subnet B" Public

  1. Go back to the route tables dashboard

  2. Select "Public Route Table"

  3. Click the "Actions" dropdown button at the top right hand corner and click "Edit routes"

  4. Click "Add route", for Destination route select "0.0.0.0/0", for Target select "Internet Gateway" and select "Demo Internet Gateway", click "Save changes" button at the bottom right hand corner. DONE


Step 4 - Create NAT Gateway (NATGW)

For high availability we will create 2 NATGW. One in each AZ (One in Public Subnet A and One in Public Subnet B)

  • Open the VPC Console

  • Click on "NAT gateways" on the left-hand panel

  • Click "Create NAT gateway" button in the top right hand corner

  • Name the 1st NATGW "NATGW A", Select "Public Subnet A" that we created in a previous step, click "Allocate Elastic IP" button, and click "Create NAT gateway" button in the bottom right hand corner


  • Go back to the NATGW dashboard and click "Create NAT gateway" button in the top right hand corner

  • Name the 2nd NATGW "NATGW B", Select "Public Subnet B" that we created in a previous step, click "Allocate Elastic IP" button, and click "Create NAT gateway" button in the bottom right hand corner DONE


Connect Route Tables to NATGW

  • Open the VPC Console

  • Click on "Route tables" on the left-hand panel

  • Select "Private Route Table A"

  • Click the "Actions" dropdown button at the top right hand corner and click "Edit routes"

  • Click "Add route", for Destination route select "0.0.0.0/0", for Target select "NAT Gateway" and select "NATGW A", click "Save changes" button at the bottom right hand corner.


  • Go back to the Route tables dashboard

  • Select "Private Route Table B"

  • Click "Actions" dropdown button at the top right hand corner and click "Edit routes"

  • Click "Add route", for Destination route select "0.0.0.0/0", for Target select "NAT Gateway" and select "NATGW B", click "Save changes" button at the bottom right hand corner. DONE


NOTE: The default NACL allows all inbound and all outbound. We will not change the default NACL settings in this lab. Found in VPC console.

NACL Inbound Rules




NACL Outbound Rules



Step 5 - Create Bastion Host

Note: For high availability, it would be best to have one bastion host in each AZ. However, for simplicity, we will only create one Bastion Host - located in Public Subnet A (as shown in the "VPC Architecture Design" at the beginning of this ReadMe

  1. Open the EC2 console

  2. Click "Instances" on the left-hand panel

  3. Click "Launch instances" button in the top right hand corner

  4. Name the instance "Bastion Host"

  5. Keep AMI as Linux, Keep architecutre 64-bit(x86), Keep instance type t2 micro (to stay within the free tier)

  6. Key Pair: Select "Proceed without a key pair (Not recommended)" In this lab we will be using the EC2 Connect to SSH into our instance and to test our architecture. Thus, we will not need a key pair here. However, if you want to further secure your instance and if use your own SSH client then a key pair will be needed.

  7. Edit Network Settings: Change the Default VPC to "Demo VPC", Change subnet to "Public Subnet A", Enable auto-assign public IP.

  8. Edit Security Group (SG): Select "Create security group", name the SG "BastionHostSG", Description:"Security group for Bastion Host" (Optional), Allow SSH from anywhere, 0.0.0.0/0

  9. Click "Launch instance" button at the bottom right hand corner DONE



Step 6 - Create Private EC2 Instances

Create Private Insance in Private Subnet A

  1. Go back to the EC2 console

  2. Click "Launch instances" button in the top right hand corner

  3. Name the instance "Private Instance A"

  4. Keep AMI as Linux, Keep architecutre 64-bit(x86), Keep instance type t2 micro (to stay within the free tier)

  5. Key Pair: Click "Create new key pair", Name the keypair "VPCKeyPair", keep everything else default and click "Create key pair" button at the bottom right hand corner - the private key pair file will be downloaded to your computer. Make sure to store this file in a known place on your computuer. We will have to use the contents in this file a later step


  1. Edit Network Settings: Change the Default VPC to "Demo VPC", Change subnet to "Private Subnet A", DO NOT enable auto-assign public IP (this is our private instance and it should not have a public IP address)

  2. Edit Security Group (SG): Select "Create security group", name the SG "PrivateInstanceSG", Description: "Security group for private instance A and private instance B" (Optional), Allow SSH from Custom: Select the SG of the Bastion Host

  3. Click "Launch instance" button at the bottom right hand corner DONE




Create Private Instance in Private Subnet B

  1. Go back to the EC2 console

  2. Click "Launch instances" button in the top right hand corner

  3. Name the instance "Private Instance B"

  4. Keep AMI as Linux, Keep architecutre 64-bit(x86), Keep instance type t2 micro (to stay within the free tier)

  5. Key Pair: In the dropdown select the keypair "VPCKeyPair"

  6. Edit Network Settings: Change the Default VPC to "Demo VPC", Change subnet to "Private Subnet B", DO NOT enable auto-assign public IP (this is our private instance and it should not have a public IP address)

  7. Edit Security Group (SG): Click "Select existing security group", Select the "PrivateInstanceSG" SG,

  8. Click "Launch instance" button at the bottom right hand corner DONE





Test System

We are going to test our infrastructure to make sure we can properly SSH into our Bastion host and our private EC2 instances. We will also make sure our Bastion host and our private instances have access to the internet via the route tables, the internet gateway, and the NAT gateway (private instances only)

Step 7 - SSH into Bastion Host and into Private Instances to Test Connectivity

1. SSH into our Bastion Host using EC2 Connect

EC2 connect is an AWS feature that allows us to easily and securely SSH into our instances without the need of an external SSH client like Putty

  1. Open the EC2 console

  2. Select the "Bastion Host"

  3. Click the "Connect" button at the top right of the page


  • Click "Connect" button at the bottom right of the screen


  • If you get a screen like the one below then you have successfully SSH into your Bastion host DONE


Test if the Bastion Host has access to the internet

  1. Type "ping www.google.com" and hit Enter into the terminal window. You should receive feedback as shown in the screen shot below.

  2. Make sure to hold Ctrl and press "C" to stop the ping.

  3. If your outcome is similar to what's shown below then your Bastion host has access to the internet DONE



SSH into Private Instance A from our Bastion Host

  1. Type "nano VPCKeyPair.pem" and hit Enter (nano command allows us to create and store a text file within the terminal. We need to upload our VPCKeyPair so we can reference it when we SSH into the Private Instance)

  2. Go to the VPCKeyPair.pem file saved on your computer. Open it. Copy ALL the content. Paste it into the terminal (hint hold ctrl and shift and press "v")



Hold ctrl and press "X" to exit. Save the content by press Y for yes. Then press "Enter".

Our uploaded VPCKeyPair.pem text file is formated for others to access it (current chmod access code is 644 - "chmod 644"). It is required that your private key files are NOT accessible by others. Therefore, we must change the access permissions for only us to have access ("chmod 400"). For that we will use the "chmod" command

  1. Type "chmod 400 VPCKeyPair.pem" and press Enter. This remove access for others and only allows read access to us.

  2. In a seperate tab, go to the EC2 console

  3. Select "Private instance A" and copy the private IP address as shown in the screenshot below. We will need to reference this IP address to SSH into it. Go back to the EC2 Connect Window terminal.



Now we are ready to SSH into our Private Instance A via our Bastion host by using our keypair

  1. Type "ssh ec2-user@INSERT YOUR PRIVATE IP ADDRESS YOU JUST COPIED -i VPCKeyPair.pem". Hit Enter. As an example Your code should look like this (your IP address will be different): "ssh ec2-user@10.0.19.224 -i VPCKeyPair.pem"

  2. A prompt will come up asking if your are sure you want to connect. Type "yes" and you should have successfully SSH into your Private Instance A via your bastion host. DONE



Test if Private Instance A has access to the internet

  1. Type "ping www.google.com" and hit Enter into the terminal window. You should receive feedback as shown in the screen shot below.

  2. Make sure to hold Ctrl and press "C" to stop the ping.

  3. If your outcome is similar to what's shown below then your Bastion host has access to the internet DONE



Repeat the Steps 3-4 for Private Instance B if you want to SSH into it and if you want to test if it has access to the internet.NOTE: Remember to use the correct private IP address when executing the "ssh ec2-user@10.0.19.224 -i VPCKeyPair.pem" command


Clean Up

Step 8 - Delete all of the Instances - In the EC2 Console




Step 9 - Delete all NAT gateway (Make sure to delete BOTH NATGW A and NATGW B) - In the VPC Console



*Must wait until the EC2 instances and the NAT gateway to COMPLETELY Delete/Terminate before Step 10 (shouldn't take longer than 5-10mins)


Step 10 - Delete Demo VPC - In the VPC Console | FINAL STEP

Deleting the VPC will delete all of the associated subnets, internet gatways, route tables, security groups, etc




In conclusion, creating an AWS VPC (Virtual Private Cloud) offers numerous advantages for organisations. It provides a secure and isolated network environment, enabling strict control over access and data protection. The scalability and flexibility of VPCs allow businesses to easily adjust resources based on demand, ensuring optimal performance and adaptability to changing workloads. With the ability to distribute resources across multiple availability zones, VPCs enhance reliability and fault tolerance. Cost optimisation is achieved through efficient resource allocation and payment models aligned with usage. VPCs also facilitate seamless connectivity and integration with other AWS services, on-premises infrastructure, and external networks, promoting hybrid cloud scenarios and data transfer. Lastly, VPCs simplify network management, enabling centralized control and efficient administration. Overall, creating an AWS VPC empowers organizations to build robust, secure, and scalable infrastructure that meets their specific needs and supports business growth in the cloud.


10 views0 comments

Comentarios

Obtuvo 0 de 5 estrellas.
Aún no hay calificaciones

Agrega una calificación
bottom of page