AWS 101 Workshop

Architecture Overview

Our architecture will consist of:

1. Two Availability Zones for high availability
2. Public and private subnets in each AZ
3. NAT Gateways for outbound internet access from private subnets
4. An Internet Gateway for public internet access
5. Security groups for Application Load Balancer and Web Servers
6. VPC Endpoint for private S3 access

Step-by-Step Implementation

1. Create the Virtual Private Cloud (VPC)

First, we'll create the VPC that will contain all our resources:

1. Navigate to the AWS VPC console
2. Click "Create VPC"
3. Select "VPC only" (we'll create subnets separately)
4. Enter these details:
   • Name tag: Production-VPC
   • IPv4 CIDR block: 10.0.0.0/16
   • Leave IPv6 disabled (unless you specifically need it)
   • Tenancy: Default
5. Click "Create VPC"

2. Create Subnets in Availability Zone 1

Now let's create our first set of subnets in Availability Zone 1:

Public Subnet A:

1. In the VPC console, go to "Subnets"
2. Click "Create subnet"
3. Select your VPC from the dropdown
4. Enter:
   • Subnet name: Public-Subnet-A
   • Availability Zone: Choose your first AZ (e.g., us-east-1a)
   • IPv4 CIDR block: 10.0.0.0/20
5. Click "Create subnet"

Private Subnet A:

1. Click "Create subnet" again
2. Select your VPC
3. Enter:
   • Subnet name: Private-Subnet-A
   • Availability Zone: Same AZ as above (us-east-1a)
   • IPv4 CIDR block: 10.0.128.0/20
4. Click "Create subnet"

3. Create Subnets in Availability Zone 2

Repeat the process for the second Availability Zone:

Public Subnet B:

1. Click "Create subnet"
2. Select your VPC
3. Enter:
   • Subnet name: Public-Subnet-B
   • Availability Zone: Choose your second AZ (e.g., us-east-1b)
   • IPv4 CIDR block: 10.0.16.0/20
4. Click "Create subnet"

Private Subnet B:

1. Click "Create subnet" again
2. Select your VPC
3. Enter:
   • Subnet name: Private-Subnet-B
   • Availability Zone: Same AZ as above (us-east-1b)
   • IPv4 CIDR block: 10.0.144.0/20
4. Click "Create subnet"

4. Create Internet Gateway

For public internet access:

1. In the VPC console, go to "Internet Gateways"
2. Click "Create internet gateway"
3. Name it Production-IGW
4. Click "Create internet gateway"
5. Select the new IGW and click "Actions" > "Attach to VPC"
6. Select your VPC and click "Attach internet gateway"

5. Create NAT Gateways

We'll need one NAT Gateway in each AZ for private subnet internet access:

NAT Gateway in AZ 1:

1. Go to "NAT Gateways" in the VPC console
2. Click "Create NAT gateway"
3. Configure:
   • Name: NAT-GW-AZ1
   • Subnet: Select Public-Subnet-A
   • Connectivity type: Public
   • Allocate Elastic IP (click "Allocate Elastic IP")
4. Click "Create NAT gateway"

NAT Gateway in AZ 2:

1. Click "Create NAT gateway" again
2. Configure:
   • Name: NAT-GW-AZ2
   • Subnet: Select Public-Subnet-B
   • Connectivity type: Public
   • Allocate Elastic IP (click "Allocate Elastic IP")
3. Click "Create NAT gateway"

Note: Wait for both NAT Gateways to show status "Available" before proceeding.

6. Configure Route Tables

We'll need separate route tables for public and private subnets.

Public Route Table:

1. Go to "Route Tables" in the VPC console
2. Click "Create route table"
3. Name it Public-Route-Table and select your VPC
4. Click "Create"
5. Select the new route table, go to "Routes" tab, click "Edit routes"
6. Add a route:
   • Destination: 0.0.0.0/0
   • Target: Select the Internet Gateway you created
7. Click "Save changes"
8. Go to "Subnet associations" tab, click "Edit subnet associations"
9. Select both public subnets (Public-Subnet-A and Public-Subnet-B)
10. Click "Save associations"

Private Route Table for AZ 1:

1. Click "Create route table"
2. Name it Private-Route-Table-AZ1 and select your VPC
3. Click "Create"
4. Select the new route table, go to "Routes" tab, click "Edit routes"
5. Add a route:
   • Destination: 0.0.0.0/0
   • Target: Select the NAT Gateway in AZ 1 (NAT-GW-AZ1)
6. Click "Save changes"
7. Go to "Subnet associations" tab, click "Edit subnet associations"
8. Select Private-Subnet-A
9. Click "Save associations"

Private Route Table for AZ 2:

1. Click "Create route table"
2. Name it Private-Route-Table-AZ2 and select your VPC
3. Click "Create"
4. Select the new route table, go to "Routes" tab, click "Edit routes"
5. Add a route:
   • Destination: 0.0.0.0/0
   • Target: Select the NAT Gateway in AZ 2 (NAT-GW-AZ2)
6. Click "Save changes"
7. Go to "Subnet associations" tab, click "Edit subnet associations"
8. Select Private-Subnet-B
9. Click "Save associations"

7. Create Security Groups

Application Load Balancer Security Group:

1. Go to "Security Groups" in the VPC console
2. Click "Create security group"
3. Enter:
   • Security group name: ALB-Security-Group
   • Description: Security group for Application Load Balancer
   • VPC: Select your VPC
4. Under "Inbound rules", add:
   • Type: HTTP, Source: 0.0.0.0/0
   • Type: HTTPS, Source: 0.0.0.0/0
5. Click "Create security group"

Web Server Security Group:

1. Click "Create security group"
2. Enter:
   • Security group name: Web-Server-Security-Group
   • Description: Security group for web servers in private subnets
   • VPC: Select your VPC
3. Under "Inbound rules", add:
   • Type: HTTP, Source: Select the ALB security group
   • Type: HTTPS, Source: Select the ALB security group
   • Type: SSH, Source: Your IP (for management)
4. Click "Create security group"

8. Create VPC Endpoint for S3

For private access to S3 without going through the internet:

1. Go to "Endpoints" in the VPC console
2. Click "Create endpoint"
3. Configure:
   • Name tag: S3-VPC-Endpoint
   • Service category: AWS services
   • Service: Select com.amazonaws.[region].s3 (replace [region] with your region)
   • VPC: Select your VPC
   • Route tables: Select all private route tables
   • Policy: Full access (or customize as needed)
4. Click "Create endpoint"

9. Create Application Load Balancer

Now let's set up the ALB to distribute traffic to our web servers:

1. Go to the EC2 console and navigate to "Load Balancers"
2. Click "Create Load Balancer"
3. Select "Application Load Balancer"
4. Configure:
   • Name: Web-ALB
   • Scheme: Internet-facing
   • IP address type: IPv4
   • VPC: Select your VPC
   • Mappings: Select both AZs and their public subnets
5. Under "Security groups", select the ALB security group
6. Configure listeners for HTTP (80) and HTTPS (443)
7. For now, skip target group creation (we'll create EC2 instances later)
8. Click "Create load balancer"

Next Steps

With this infrastructure in place, you're ready to:

1. Launch EC2 instances in your private subnets (attach the Web Server Security Group)
2. Create a target group and register your instances with the ALB
3. Set up Auto Scaling for high availability
4. Configure Route 53 for DNS management
5. Set up monitoring with CloudWatch

Cost Considerations

Remember that NAT Gateways incur hourly charges and data processing fees. Consider these cost optimization strategies:

1. Use NAT Instances instead of NAT Gateways for development environments
2. Implement S3 Gateway Endpoints (which are free) instead of Interface Endpoints where possible
3. Monitor your data transfer costs

Conclusion

You've now set up a highly available, secure AWS architecture spanning multiple Availability Zones. This architecture provides:

• Fault tolerance through multi-AZ deployment
• Security through public/private subnet separation
• Scalability through the Application Load Balancer
• Private access to S3 via VPC endpoints

This foundation can support web applications, APIs, or other services while maintaining security and availability best practices.