# AWS VPC Exercise

> I am recently starting to learn the AWS in this blog I'm gonna share the exercises of [VPC](https://aws.amazon.com/vpc/) I have done. The resource is from the [freeCodeCamp.org](https://www.youtube.com/watch?v=g2JOHLHh4rI) presented by [digitalcloud.training]( https://digitalcloud.training). I encourage you to watch it first.

- toc: true
- branch: master
- badges: true
- categories: [AWS]
- image: images/upsert.png

## Prerequisite

- Create a free [AWS Account](https://aws.amazon.com/).
- Download the [exercise code](https://digitalcloud.training/aws-vpc-deep-dive-download/)
- Install AWS Cli and config the [aws configure](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)

## Create VPC

Name: MyVPC  
IPv4 CIDR Block: 10.0.0.0/16  

![image.png](attachment:7acd4265-a057-473d-b917-e40506e94d03.png)

A route table was also created automatically by AWS.  
![image.png](attachment:c7a47183-85de-449d-994c-18a475b4aff2.png)

## Create Subnets

Name: **Public-1A**  
Availability Zone: **us-east-1a**  
IPv4 CIDR Block: **10.0.1.0/24**  
![image.png](attachment:481f8736-5b83-4127-a3f3-27d24dd23736.png)

Name: **Public-1B**  
Availability Zone: **us-east-1b**  
IPv4 CIDR Block: **10.0.2.0/24**  
![image.png](attachment:4a145f7f-9158-4ec6-91dc-fa289dee1fe2.png)

Name: **Private-1A**  
Availability Zone: **us-east-1a**  
IPv4 CIDR Block: **10.0.3.0/24**  
![image.png](attachment:1ae19a4f-3f15-4a00-ab0f-93e53e1b9b8d.png)

Name: **Private-1B**  
Availability Zone: **us-east-1b**  
IPv4 CIDR Block: **10.0.4.0/24**  
![image.png](attachment:39845bdb-07bd-4ff3-89ea-04037400379d.png)


Finally, they look like this.  
![image.png](attachment:8cd3a2da-aec0-429e-85f1-e566f0a23905.png)

For the public subnets, we tick **'Enable auto-assign public IPv4 address'**.  
![image.png](attachment:c5fa8be9-4ad3-436a-84ff-1aba5996692a.png)  
![image.png](attachment:bbeb02f0-2dac-4ca2-b46c-8e437093a5b0.png)

## Create private route table

Name: **Private-RT**  
VPC: **MyVPC**  
Subnet associations: **Private-1A, Private-1B**  
![image.png](attachment:8b1b3b12-9cb5-4c22-ae72-9b51334c8782.png)

Change the name of default route table to 'MAIN' and associate the Private-1A and Private-1B to the route table.  
![image.png](attachment:63471dba-9ca0-419d-b589-4b5b8475553d.png)  
![image.png](attachment:3e3318d6-101a-4536-9375-5524b2d71065.png)  

# Create Internet Gateway

Name: **MyIGW**  
VPC: **MyVPC**  

![image.png](attachment:9463d1c5-db72-4640-a024-5b127e997198.png)  

![image.png](attachment:892de88f-5f90-424c-94f8-61308bdd0037.png)

## Edit MAIN route table

Add **0.0.0.0/0** to internet gateway.  

![image.png](attachment:aaecb4ed-a809-4885-9043-7259cb9714fc.png)  
![image.png](attachment:9c183f45-8915-4ed2-b2ba-a6fcacfb4906.png)

## [NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html)

- Create NAT Gateway  
![image.png](attachment:248d6525-f20c-436f-b03a-9048b12216f7.png)

- Go to PrivateRT and edit the route 0.0.0.0/0 to NAT Gateway  
![image.png](attachment:fcd0d70b-302a-4ed9-bbe1-0a7954095d60.png)

## Configure [Security Groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) and NACLs

- Create Public-Web security group  
![image.png](attachment:6da7ad5e-7980-436e-bf8c-d0e5a5081fa9.png)

- Private-App: Private App Access, Inbound rule: **http/80 with source Public-Web, make sure the inbound comes from the web app front end in the Public-Web security group**

![image.png](attachment:5f6f366a-0bb6-4328-b436-0c866e4c92ab.png)

## Launch EC2s

Use the following command to launch the EC2s. 
**aws ec2 run-instances --image-id <value> --instance-type <value> --security-group-ids <value> --subnet-id <value> --key-name <value> --user-data <value>**  

The variables that need to be filled:
- image-id: [Amazon Machine Images (AMI)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html), here we use ami-0ed9277fb7eb570c9
- instance-type: t2.micro
- security-group-ids: Public-Web security group.
- subnet-id: we create two EC2s in Public 1A and 1B, one EC2 in Private 1B.
- key-name: [key pairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) of EC2.
- user-data are needed to be filled: the file '/user-data-subnet-id.txt' in [exercise code](https://digitalcloud.training/aws-vpc-deep-dive-download/)


    
Once we have these ready we run the following script(Make sure the aws cli installed and configured before this).  
- Launch instance in Public 1A  
aws ec2 run-instances --image-id ami-0ed9277fb7eb570c9 --instance-type t2.micro --security-group-ids sg-0ff58fb3c21c0792d --subnet-id subnet-0f0f447e902559be9 --key-name ec2_cloud --user-data file://code/user-data-subnet-id.txt
    
- Launch instance in Public 1B  
aws ec2 run-instances --image-id ami-0ed9277fb7eb570c9 --instance-type t2.micro --security-group-ids sg-0ff58fb3c21c0792d --subnet-id subnet-07266ffa901687189 --key-name ec2_cloud --user-data file://code/user-data-subnet-id.txt

- Launch instance in Private 1B  
aws ec2 run-instances --image-id ami-0ed9277fb7eb570c9 --instance-type t2.micro --security-group-ids sg-0ff58fb3c21c0792d --subnet-id subnet-0f44825a48340db38 --key-name ec2_cloud --user-data file://code/user-data-subnet-id.txt

Finally three EC2 are launched.  

![image.png](attachment:ba4a6a19-2033-4144-b364-9b4ab698332c.png)  
Visit the Instances in Public 1A and 1B.  
![image.png](attachment:5f716f98-3498-424d-b824-5388a3c89c59.png) 

We see the response from the server: "This instance is in the subnet wih ID: subnet-0f0f447e902559be9".  
![image.png](attachment:511cf5d3-702f-4a45-93d9-b8ad002370a6.png)  
![image.png](attachment:6cfc619d-c043-4a37-be68-50398cb70f28.png)  

Change inbound rule of Public-Web security group, set the source to "my ip". Then try it also with another IP(turn VPN on). Change it back after the experiment.  
![image.png](attachment:f655be47-ec2a-4b12-851b-a136bbcd7617.png)   

Once the VPN is turned on, the process bar was hardly moving which means the "block" was working.  
![image.png](attachment:d084b9ee-e155-4048-af37-74191250f4ec.png)

Change it back after the testing.  
![image.png](attachment:d0a5fd11-53ac-48af-9037-9e41a4981b0c.png)

Test the internal network with SSH.  

Ping from Public 1A to Public 1B  
![image.png](attachment:9d4de6d4-4325-427d-8365-1b29600db26e.png)  
![image.png](attachment:42891f6d-d64f-4210-9439-4633c131c375.png)  
![image.png](attachment:1ea28427-ab9b-4722-8e71-ad7a810497ad.png)

Ping from Public 1A to Private 1B  
![image.png](attachment:306ada73-a552-409a-b570-3c39be540e9a.png)  
![image.png](attachment:db9f863b-2510-4cf5-8e68-2896f4a6931f.png)  


Change the security group of EC2 Private 1B to Private-App  
![image.png](attachment:26652730-86b1-4223-98a3-b8167ce5229a.png)  
![image.png](attachment:049faf3a-cfe1-4606-b333-028735416139.png)  
In the Private-App, only HTTP/80 was configured that Ping(ICMP) didn't work and CURL(Http) worked from Public 1A to Private 1B  
![image.png](attachment:324238b3-27dd-4adb-a021-39d0f6e7565b.png)

# Conclusion

I finished this exercise and it makes me understand the core concepts of VPC. Potentially I may go to get some certificates and hopefully I can plan a schedule for it.