Skip to content

xarques/cloudcorner-aws-network

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
images
images
 
 
README.md
README.md
 
 

Repository files navigation

Cisco cloud corner on AWS Network

Prerequisites:

  • You must have a valid AWS account

This workshop has been inspired by the aCloudGuru course Certified Solutions Architect - Associate 2017

Create a private network in the Cloud: Virtual Private Cloud (VPC)

VPC - AWS Definition:

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

First, we need to create a VPC

  1. From the AWS console, go to Networking -> VPC
  2. Got to Your VPCs and click Create VPC
    1. Enter
    • Name tag: myCloudCornerVPC
    • IPv4 CIDR block: 10.0.0.0/16
    • Tenancy: Default
  3. Click Yes, Create

Then we need to create 2 subnets, 1 public and 1 private

  1. Got to Subnets and click Create Subnet
  2. Enter
  • Name tag: 10.0.1.0-eu-west-1a
  • VPC: myCloudCornerVPC
  • Availability Zone: eu-west-1a
  • IPv4 CIDR Block: 10.0.1.0/24
  1. Click Yes, Create
  2. Got to Subnets and click Create Subnet
  3. Enter
  • Name tag: 10.0.2.0-eu-west-1b
  • VPC: myCloudCornerVPC
  • Availability Zone: eu-west-1b
  • IPv4 CIDR Block: 10.0.2.0/24
  1. Click Yes, Create

Now we want to make public access to subnet 10.0.1.0-eu-west-1a. For that, we need to create an Internet Gateway

  1. Go to Internet Gateways and click Create Internet Gateway
  2. Enter:
  • Name tag: myCloudCornerIGW
  1. Click Yes, Create
  2. Select myCloudCornerIGW in the list and click Attach to VPC
  3. Select myCloudCornerVPC in the list and click Yes, Attach

Now we need to create a route out to the internet

  1. Go to Route Tables. You can observe that a default Route Table has been created and is associated with VPC myCloudCornerVPC. The destination of this route is 10.0.0.0/16 allowing all subnets created inside this VPC to talk to each other. This is the main route table. It's best practice to let this route private
  2. Click Create Route Table
  3. Enter:
  • Name tag: myPublicRoute
  • VPC: myCloudCornerVPC
  1. Click Yes, Create
  2. Select myPublicRoute in the list and go to folder Routes, then click Edit, then click Add another route
  3. Enter:
  • Destination: 0.0.0.0/0
  • Target: myCloudCornerIGW
  1. Click Save
  2. Go to folder Subnet Associations and click Edit
  3. Select subnet 10.0.1.0-eu-west-1a, then click Save

In order to auto assign Public IP addresses to the EC2 instances that will be deployed into the public subnet:

  1. Go to Subnets, select subnet 10.0.1.0-eu-west-1a in the list and click Subnet Actions -> Modify Auto-Assign Public IP
  2. Select "Enable auto-assign Public IP" and click Save

Summary:

  1. We've created a custom VPC named myCloudCornerVPC
  2. We've created 2 subnets:
  • 10.0.1.0-eu-west-1a with CIDR 10.0.1.0/24 and availability zone eu-west-1a
  • 10.0.1.0-eu-west-1b with CIDR 10.0.2.0/24 and availability zone eu-west-1b
  1. We've created 2 route tables in that VPC:
  • The default route table that has no route out to the internet
  • The route myPublicRoute we've created has a route out to our internet gateway (IGW)
  • So any subnet associated to myPublicRoute route table will have internet access automatically
  • The subnet 10.0.1.0/24 is associated to this IGW and has internet access
  • The subnet 10.0.2.0/24 is associated to the default route table automatically. This default route table has no internet access. Anything deployed into this private subnet is not accessible by the internet and can not access the internet either

Deploy EC2 instances in both public and private Subnets

First, we will deploy a EC2 instance in the public subnet

  1. From the AWS console, go to Compute -> EC2
  2. Select Launch instance, choose the first AMI in the list (Amazon Linux AMI) and click Select
  3. Keep the default Instance type (Free tier eligible) and click Next:Configure Instance Details
  4. Select:
  • Network: myCloudCornerVPC
  • Subnet: 10.0.1.0-eu-west-1a
  1. Open the Advanced Details section and copy paste
    #!/bin/bash
    yum update -y
    yum install httpd -y
    service httpd start
    chkconfig httpd on
    echo "Hello Cloud Talkers. My Web Server address is: " > /var/www/html/index.html
    curl http://169.254.169.254/latest/meta-data/local-ipv4 >>  /var/www/html/index.html
  1. Click Next:Add Storage
  2. Click Next:Tag Instance and Enter:
  • Value tag: myWebServer
  1. Click Next:Configure Security Group
  2. Create a new Security Group and Enter:
  • Security Group Name: WebDMZ
  • Description: WebDMZ
  1. Click Add Rule and Enter:
  • Type: HTTP
  • Source: Anywhere (0.0.0.0/0)
  1. Click Review and Launch
  2. Click Launch
  3. In the "Select an existing key pair or create a new key pair window"
  • Select an existing key pair or create a new one
  • Acknowledge and click Launch Instance
  1. Click View instances. The first EC2 instance is now under creation. When it will be ready, it will have a Public IP assigned
  2. Copy/Paste the public IP Address in your browser. You should see the message "Hello Cloud Talkers. My Web Server address is: 10.0.1.xx"
  3. Summary: VPC Diagram - Step 1
  4. We've created one EC2 instance myWebServer into the VPC myCloudCornerVPC and the subnet 10.0.1.0-eu-west-1a
  5. We've created a launch script that applies security patches, installs httpd server and displays the private IP address of the EC2 instance
  6. We've created a security group WebDMZ used by the EC2 instance in the public subnet that's allowing HTTP (port 80) and SSH (port 22) traffics from the world.

Then, we will deploy a EC2 instance in the private subnet

  1. From the AWS console, go to Compute -> EC2
  2. Select Launch instance, choose the first AMI in the list (Amazon Linux AMI) and click Select
  3. Keep the default Instance type (Free tier eligible) and click Next:Configure Instance Details
  4. Select:
  • Network: myCloudCornerVPC
  • Subnet: 10.0.1.0-eu-west-1b
  1. Click Next:Add Storage
  2. Click Next:Add Tags
  3. Enter:
  • Value tag: mySQLServer
  1. Click Next:Configure Security Group
  2. Create a new Security Group. Enter:
  • Security Group Name: RDSSG
  • Description: RDSSG
  1. Click Add Rule and Enter:
  • Type: MYSQL/Aurora
  • Port Range: 3306
  • Source: Custom (10.0.1.0/24)
  1. Click Add Rule and Enter:
  • Type: All ICMP Traffic
  • Port Range: 0 - 65535
  • Source: Custom (10.0.1.0/24)
  1. Click Review and Launch
  2. Click Launch
  3. In the "Select an existing key pair or create a new key pair window"
  • select an existing key pair or create a new one
  • acknowledge and click Launch Instance
  1. Click View instances. The second EC2 instance is now under creation. When it will be ready, it will NOT have a Public IP assigned
  2. Summary: VPC Diagram - Step 2
  3. We've created one EC2 instance mySQLServer into the VPC myCloudCornerVPC and the subnet 10.0.1.0-eu-west-1b
  4. We've created 1 security group RDSSG in the private subnet that's allowing HTTP (port 80), SSH (port 22) and ICMP (ports 0 to 65535) traffics from the address range 1.0.1.0/24.1

SSH private instance from the public subnet

  1. Open a terminal
  2. Make sure your SSH key is available and is protected against write (chmod 0600)
  3. Enter
    ssh ec2-user@<publicIP> -i <keyPair.pem>
    sudo su
    # ping privateIP of EC2 instance located in private subnet
    ping 10.0.2.x
    Ctrl C
  1. You should be able to ping the private instance
  2. From the AWS console, go to Networking -> VPC
  3. Got to Security Groups, select RDSSG security group, go to folder Inbound Rules and click Edit
  4. Delete ALL ICMP - IPv4 rules and Click Save
  5. Go back to your terminal and try to ping again the private instance
  6. It doesn't work
  7. Restore ICMP rules: From the AWS console, go to Networking -> VPC
  8. Got to Security Groups, select RDSSG security group, go to folder Inbound Rules and click Edit
  9. Click Add another rule and Enter:
  • Type: All ICMP Traffic
  • Source: 10.0.1.0/24
  1. Click Save
  2. Go back to your terminal and try to ping again the private instance. It should work

Access the internet from the private subnet in a secure way

  1. Open a terminal
  2. Edit the key pair content and copy it in the clipboard
  3. Enter
    chmod 0600 keyPair.pem
    ssh ec2-user@<publicIP> -i <keyPair.pem>
  1. Create a file keyPair.pem and paste the key pair from the clipboard
  2. Enter
    # Replace x by the private IP address of the EC2 instance deployed in the private subnet
    ssh ec2-user@10.0.2.x -i <keyPair.pem>
    sudo su
    yum update -y
  1. The yum update -y command doesn't work. It's because the private subnet has no internet access
  2. There is 2 ways to allow internet access from the private subnet:
  3. Deploy a NAT instance (old fashion, not scalable)
  4. Deploy a NAT gateway (available since 2016, recommended in a production environment, scalable, managed by AWS)
  5. From the AWS console, go to Networking -> VPC
  6. Got to NAT Gateways and click Create NAT Gateway
  7. Enter
  • Subnet: 10.0.1.0-eu-west-1a (it must be the public subnet)
  • Click Create new EIP
  1. Click Create a NAT Gateway
  2. Into the "Create a NAT Gateway" popup, click Edit Route Tables
  3. Select the default Main route table associated to VPC myCloudCornerVPC in the list and go to folder Routes, then click Edit, then click Add another route
  4. Enter:
  • Destination: 0.0.0.0/0
  • Target: nat-xxxxxxxxxxx
  1. Click Save
  2. Go back to the terminal window already connected to EC2 instance in the private subnet
  3. Enter
    # Replace x by the private IP address of the EC2 instance deployed in the private subnet
    ssh ec2-user@10.0.2.x -i <keyPair.pem>
    sudo su
    yum update -y
  1. The yum update -y command is now working.
  2. Summary: VPC Diagram - Step 2
  3. We've created a NAT Gateway into the public subnet 10.0.1.0-eu-west-1a
  4. We've added a route in the default route table to allow traffic out to the internet through the NAT Gateway
  5. The default route table is used by the private subnet. So all the EC2 instances created in that subnet can access the internet but are not accessible externally

About

AWS Network workshop

Topics

training aws subnet vpc ec2-instance acloudguru

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published