DEV Community: AKASH S

PDF to Multilingual Audiobook: Building a Serverless AI Pipeline on AWS

AKASH S — Sat, 10 Jan 2026 17:48:20 +0000

In this project, I built a fully serverless, event-driven AI pipeline on AWS that automatically converts a PDF document into translated speech audio.

Whenever a PDF is uploaded to an S3 bucket:

Text is extracted using Amazon Textract
The extracted text is translated using Amazon Translate
The translated text is converted into speech using polly
The final audio file is stored back in S3

All of this happens automatically, without any manual trigger or server management.

PDF Upload (Amazon S3)
        ↓
AWS Lambda (Triggered by S3 event)
        ↓
Amazon Textract (OCR)
        ↓
Amazon Translate (Language Translation)
        ↓
Amazon Polly (Text to Speech)
        ↓
Audio Output Stored in S3

AWS Services Used

Amazon S3 – File storage and event trigger
AWS Lambda – Serverless compute
Amazon Textract – Extract text from PDFs
Amazon Translate – Translate extracted text
Amazon Polly – Convert text into speech
AWS IAM – Secure access control
Amazon CloudWatch – Logging and monitoring

Step-by-Step Project Flow :

Step 1: Upload PDF to S3

A PDF file is uploaded to the input/ folder of the S3 bucket.
This upload event automatically triggers the Lambda function.

Step 2: Extract Text with Textract

Lambda starts an asynchronous Textract job to extract text from the uploaded PDF.
Textract reads the PDF directly from S3 and returns the extracted text.

Extracted text using lambda and logged by cloud watch.

Step 3: Translate the Extracted Text

The extracted English text is passed to Amazon Translate.
The text is translated into a target language (for example, Tamil).

Step 4: Convert Translated Text to Speech

The translated text is sent to Amazon Polly.
Polly generates a natural-sounding MP3 audio file using a language-appropriate voice.

Step 5: Store the Audio Output

The generated MP3 file is saved in the output/ folder of the same S3 bucket.
The entire process completes automatically in a few seconds.

Codes to perform lambda and role permissions.
lambda_function.py

import boto3
import time
import uuid

textract = boto3.client('textract')
translate = boto3.client('translate')
polly = boto3.client('polly')
s3 = boto3.client('s3')

BUCKET_NAME = "pdf-translate-speech-ak"

def lambda_handler(event, context):

    bucket = event['Records'][0]['s3']['bucket']['name']
    key = event['Records'][0]['s3']['object']['key']

    print(f"PDF uploaded: {key}")

    if not key.startswith("input/"):
        return {"statusCode": 200, "message": "Not an input file"}

    response = textract.start_document_text_detection(
        DocumentLocation={
            'S3Object': {
                'Bucket': bucket,
                'Name': key
            }
        }
    )

    job_id = response['JobId']
    print(f"Textract Job ID: {job_id}")

    extracted_text = ""
    while True:
        result = textract.get_document_text_detection(JobId=job_id)
        status = result['JobStatus']

        if status == "SUCCEEDED":
            for block in result['Blocks']:
                if block['BlockType'] == "LINE":
                    extracted_text += block['Text'] + " "
            break
        elif status == "FAILED":
            raise Exception("Textract failed")

        time.sleep(5)

    print("Text extraction completed")

    translated = translate.translate_text(
        Text=extracted_text[:5000],  # safeguard
        SourceLanguageCode="en",
        TargetLanguageCode="ta"
    )

    translated_text = translated['TranslatedText']

    speech = polly.synthesize_speech(
        Text=translated_text[:3000],
        OutputFormat="mp3",
        VoiceId="Aditi"
    )

    audio_key = f"output/translated_audio_{uuid.uuid4()}.mp3"

    s3.put_object(
        Bucket=bucket,
        Key=audio_key,
        Body=speech['AudioStream'].read(),
        ContentType="audio/mpeg"
    )

    print(f"Audio saved: {audio_key}")

    return {
        "statusCode": 200,
        "audio_file": audio_key
    }

Role and it's Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "textract:StartDocumentTextDetection",
        "textract:GetDocumentTextDetection"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "translate:TranslateText"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "polly:SynthesizeSpeech"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::pdf-translate-speech-ak/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:*"
      ],
      "Resource": "*"
    }
  ]
}

Output Translated Audio:

Connect With Me

👤 Akash S
☁️ AWS | Cloud | AI Projects
✍️ Writing about real-world cloud learning

Serverless PDF-to-Speech Narrator on AWS (Textract + Polly)

AKASH S — Sat, 10 Jan 2026 04:23:32 +0000

Ever wished your PDFs could just read themselves aloud?

In this project, I built a fully automated, serverless PDF-to-Speech system on AWS where uploading a PDF instantly generates an audio narration.

No servers. No manual processing. Just upload → listen.

In One Line

Upload a PDF to S3 → extract text using Textract → convert text to speech using Polly → save audio back to S3.

Steps to be followed:

1.Created a single Amazon S3 bucket with two folders: input/ for PDF uploads and output/ for generated audio files.

2.Configured an IAM role for Lambda with permissions to access S3, Amazon Textract, Amazon Polly, and CloudWatch logs.

Policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "textract:StartDocumentTextDetection",
        "textract:GetDocumentTextDetection"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "polly:SynthesizeSpeech"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::pdf-narrator-ak/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:*"
      ],
      "Resource": "*"
    }
  ]
}

3.Created an AWS Lambda function (Python 3.10) and attached the IAM role to enable secure service access.

lambda_function.py

import boto3
import time
import uuid

textract = boto3.client('textract')
polly = boto3.client('polly')
s3 = boto3.client('s3')

BUCKET_NAME = "pdf-narrator-ak"

def lambda_handler(event, context):

    # 1️⃣ Get PDF details
    bucket = event['Records'][0]['s3']['bucket']['name']
    key = event['Records'][0]['s3']['object']['key']

    print(f"PDF received: {key}")

    # Ensure only input folder triggers processing
    if not key.startswith("input/"):
        return {"statusCode": 200, "message": "Not an input file"}

    # 2️⃣ Start Textract job
    response = textract.start_document_text_detection(
        DocumentLocation={
            'S3Object': {
                'Bucket': bucket,
                'Name': key
            }
        }
    )

    job_id = response['JobId']
    print(f"Textract Job ID: {job_id}")

    # 3️⃣ Wait for Textract to finish
    text = ""
    while True:
        result = textract.get_document_text_detection(JobId=job_id)
        status = result['JobStatus']

        if status == "SUCCEEDED":
            for block in result['Blocks']:
                if block['BlockType'] == "LINE":
                    text += block['Text'] + " "
            break
        elif status == "FAILED":
            raise Exception("Textract failed")
        time.sleep(5)

    print("Text extraction completed")

    # 4️⃣ Convert text to speech (limit handled)
    speech = polly.synthesize_speech(
        Text=text[:3000],
        OutputFormat="mp3",
        VoiceId="Joanna"
    )

    # 5️⃣ Save MP3 to output folder
    audio_key = f"output/audio_{uuid.uuid4()}.mp3"

    s3.put_object(
        Bucket=bucket,
        Key=audio_key,
        Body=speech['AudioStream'].read(),
        ContentType="audio/mpeg"
    )

    print(f"Audio saved to {audio_key}")

    return {
        "statusCode": 200,
        "message": "PDF converted to speech",
        "audio_file": audio_key
    }

4.Added an S3 event trigger to invoke the Lambda function whenever a PDF is uploaded to the input/ folder.

Implemented Lambda logic to extract text from uploaded PDFs using Amazon Textract (asynchronous processing).

5.Processed the extracted text and sent it to Amazon Polly to generate natural-sounding speech.

6.Stored the generated MP3 audio file in the output/ folder of the same S3 bucket.

7.Monitored execution flow, errors, and logs using Amazon CloudWatch.

8.Verified successful execution by downloading and playing the generated audio file from S3.

Connect With Me

👤 Akash S
☁️ AWS | Cloud | AI Projects
✍️ Writing about real-world cloud learning

Automated AWS Receipt Processing System using Textract, Lambda & MySQL

AKASH S — Fri, 19 Dec 2025 09:47:32 +0000

Introduction

In this blog, I’ll walk you through how I built an end-to-end automated receipt processing system on AWS using:

Amazon S3
AWS Lambda
Amazon Textract (AnalyzeExpense)
Amazon RDS (MySQL)
Lambda Layers (pymysql)

Use this repo if needed

Architecture Overview
User uploads receipt (PDF / JPG)
        ↓
Amazon S3 (ObjectCreated event)
        ↓
AWS Lambda
        ↓
Amazon Textract (AnalyzeExpense)
        ↓
Amazon RDS (MySQL)

Step 1: Create the MySQL Database (RDS) and set up a DB with Wanted Entities and Attributes.

CREATE DATABASE receipt_db;

USE receipt_db;

CREATE TABLE ride_receipts (
    receipt_id INT AUTO_INCREMENT PRIMARY KEY,
    customer_name VARCHAR(100),
    ride_id VARCHAR(50),
    driver_name VARCHAR(100),
    vehicle_number VARCHAR(20),
    mode_of_vehicle VARCHAR(50),
    selected_price DECIMAL(10,2),
    time_of_ride TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

Step 2: Create Lambda Layer for pymysql

AWS Lambda does not include pymysql by default, so we must add it using a Lambda Layer.

mkdir pymysql_layer
cd pymysql_layer
mkdir python
pip install pymysql -t python/
zip -r pymysql_layer.zip python

Upload Layer in AWS

Go to Lambda → Layers
Create new layer
Runtime: Python 3.10
Upload pymysql_layer.zip

Step 3: Create Lambda Function

Runtime: Python 3.10
Attach pymysql layer
Add IAM permissions:
- AmazonTextractFullAccess
- AmazonS3ReadOnlyAccess
- CloudWatchLogsFullAccess

Step 4: Lambda Function Code

Listens for a receipt upload event from Amazon S3.
Reads the uploaded file’s bucket name and object key.
Sends the receipt to Amazon Textract for structured data extraction.
Processes the extracted text to identify key receipt details.
Stores the structured data into a MySQL database automatically.

Step 5: Configure S3 Trigger

Go to Lambda → Configuration → Triggers

Add S3 trigger
Event type: ObjectCreated (PUT)
Bucket: receipt-inp-ak

Step 6: Upload Receipt to S3(Upload a clean file receipt1.jpg,receipt.pdf)

Step 7:Debug Using CloudWatch
Check logs in:

CloudWatch → /aws/lambda/receipt-textract

Successful log example:

Processing file: receipt.pdf
Extracted: {
 'vehicle_number': 'TN01B3694',
 'mode_of_vehicle': 'Car',
 'selected_price': 150.0
}

Step 8: Verify Data in MySQL by using Select query.

Note: Don't forgot to delete the resources which we created .stay tuned for more blogs and Deployment.

📊How I Learnt AWS SNS, CloudWatch, and CloudTrail (With Real-World Use Cases)

AKASH S — Sun, 24 Aug 2025 19:00:29 +0000

Introduction:

In today’s world,companies like Zomato, Uber, and Swiggy works heavily on real-time notifications, monitoring, and security tracking to ensure smooth operations.Amazon Web Services (AWS) provides three powerful services to achieve this: Amazon SNS (Simple Notification Service), Amazon CloudWatch, and AWS CloudTrail.

In this blog, We explore these services with real-world examples and see how they fit into everyday cloud scenarios.

Amazon SNS – Simple Notification Service

SNS is a fully managed messaging service that allows applications, services, or users to communicate instantly.

How it works:

Create a Topic (channel of communication).
Add Subscribers (email, SMS, Lambda, SQS, etc.).
Publish a Message (from applications or AWS services).

Real-world examples:

Zomato/Uber notifications:

When our food is out for delivery, SNS publishes a message → you receive an SMS/email instantly.

Cloud billing alerts:

If our AWS usage bill crosses a set threshold, SNS triggers an email alert to prevent unexpected costs.

Amazon CloudWatch – Monitoring and Observability

CloudWatch is AWS’s monitoring service for applications, infrastructure, and services.

Features:

Metrics Monitoring: CPU, memory, storage, network.
Dashboards: Visualize performance in real time.
Alarms: Trigger actions (like auto-scaling or notifications).
Logs: Application logs, server logs, error logs.
CloudWatch Agent: Install on EC2/on-premises servers to push custom metrics.

Real-world examples:

Uber ride-tracking servers: CloudWatch monitors EC2 instances handling GPS data; if CPU usage spikes, auto-scaling is triggered.

AWS CloudTrail – Auditing and Governance

CloudTrail is AWS’s auditing service that records all API calls and user actions across your AWS account.

why it's using:

Tracks who did what and when.
Helps in security analysis and compliance.
Provides audit logs for governance.

Real-world examples:

IAM activity monitoring: Detects if someone tried to create a new admin user without approval.

Conclusion

Amazon SNS: Notifies users instantly.
Amazon CloudWatch: Monitors and visualizes metrics/logs.
AWS CloudTrail: Tracks all AWS activity for security and compliance.

✨ Stay tuned for more learnings as I continue my AWS journey!

🌍AWS Route 53 – A Beginner-Friendly Guide

AKASH S — Thu, 21 Aug 2025 17:16:33 +0000

Introduction:

When building and deploying an application, one of the most important steps is making it accessible to end-users across the globe. This is where Amazon Route 53, a global Domain Name System (DNS) web service, comes in.Route 53 helps translate domain names (like myapp.com) into IP addresses (like 192.0.2.1), ensuring users can easily reach your application hosted on AWS or elsewhere.

Step-by-Step: Setting Up Route 53

1) Purchase a Domain

Buy a domain from a domain provider (e.g., GoDaddy, Hostinger, Namecheap).

2) Open AWS Console → Route 53

Go to Route 53 and create a Hosted Zone.
Enter the purchased domain name and choose whether it should be Public (internet-facing) or Private (internal VPC use).

3) Hosted Zone Records

AWS automatically creates SOA (Start of Authority) and NS (Name Server) records.
We’ll be provided with 4 Name Servers (NS).

4) Update Domain Provider Settings

Copy the NS values (without the trailing dot) and update them in our domain provider’s dashboard (GoDaddy, Hostinger, etc.).
This step links our purchased domain with AWS Route 53.

5) Create Records in Route 53

Add a new record (e.g., A record).
Set the Type (A, CNAME, etc.) and provide the Value (like your EC2 Public IP or Load Balancer DNS name).

6) Choose a Routing Policy

Select how Route 53 should route traffic (Simple, Latency, Failover, etc.).
Save the record.

7) Test Your Domain

Open a browser and type our domain name.
It should resolve to our configured IP or load balancer.

Route 53 Routing Policies

So we can learn more about Routing polices

| Routing Policy            | Description                                                                       | Use Case Example                                                          |
| ------------------------- | --------------------------------------------------------------------------------- | ------------------------------------------------------------------------- |
| Simple Routing            | Directs traffic to a single resource.                                             | A small website hosted on one EC2 instance.                               |
| Weighted Routing          | Splits traffic across resources based on percentages.                             | A/B testing between two application versions.                             |
| Latency-based Routing     | Sends users to the region with the lowest network latency.                        | A global e-commerce site with servers in the US, Europe, and Asia.        |
| Failover Routing          | Routes traffic to a standby resource if the primary one fails.                    | Disaster recovery setup with primary and backup servers.                  |
| Geolocation Routing       | Routes traffic based on the user’s location.                                      | Directing Indian users to a server in Mumbai, and US users to Ohio.       |
| Geoproximity Routing      | Routes traffic based on the geographic location of resources, with optional bias. | Regional applications that want to prefer one location slightly more.     |
| Multivalue Answer Routing | Returns multiple healthy IPs for load balancing.                                  | Distributing requests across multiple EC2 instances running the same app. |

Hosting a Website with Route 53

Let’s say we bought the domain mytravelblog.tech from GoDaddy. we host our application on an EC2 instance with the IP 13.250.45.67.

Here’s how Route 53 helps:

We need to create a Public Hosted Zone in Route 53 for mytravelblog.tech.
Route 53 gives us 4 Name Servers.we update these in GoDaddy’s domain settings.
We need to add an A record in Route 53 with the value 13.250.45.67.
We need to choose Simple Routing so all traffic goes to this EC2.
Now, when someone types mytravelblog.tech in their browser, Route 53 resolves it to our EC2 IP, and your website loads.
If later, our site grows and we add a Load Balancer with Auto Scaling, we can update Route 53 to point to the Load Balancer DNS instead of a static IP — ensuring scalability and high availability.

So that we can easily setup the Route53 and make our website live and make it more availability.

🚀Stay tuned for more Blogs and Deployment!!!

🛢RDS Powers a Secure Three-Tier Application on AWS

AKASH S — Tue, 19 Aug 2025 10:15:47 +0000

Introduction:

When we design applications in the cloud, it’s not just about running code. It’s about organizing layers, controlling access, and making sure everything scales smoothly. One of the best ways to do this is through a three-tier architecture.

In this blog, I’ll walk you through how RDS fits into a three-tier app on AWS, and we’ll take a real-world Data Entry Portal as our example.

Understanding the Three Tiers

A three-tier app is like a relay race. Each tier does its job, then hands over to the next:
Web Tier – The entry point. This is where users connect through a browser.
App Tier – The logic hub. It processes requests and applies business rules.
Database Tier – The memory. It stores and retrieves data whenever the app needs it.

On AWS, these tiers are usually split like this:

Web Tier: EC2 instances behind a Load Balancer in public subnets.
App Tier: EC2 instances in private subnets (no direct internet access).
DB Tier: An Amazon RDS instance running MySQL or PostgreSQL in private subnets.

Why Not Connect Directly to RDS?

Here’s a common mistake we make:

We connect to RDS from our laptop or from a single EC2 using a public IP.

This might work in a demo, but in real projects it’s risky:

Databases should never be publicly accessible.
Public IPs change if EC2 is replaced.

Auto Scaling creates multiple EC2 instances, and you can’t keep whitelisting new IPs every time.

So,Use Security Groups.

Instead of allowing one IP, We allow the App Tier’s Security Group in the RDS inbound rules. That way, no matter how many EC2 instances Auto Scaling creates, they can all talk to the database securely.

Real-World Example: A Data Entry Portal

Let’s imagine an organization that runs a Data Entry Portal for its employees:

Step 1: Login through Web Tier
Employees visit the portal from their browser. The request hits the Load Balancer, which sends it to one of the web servers (EC2 in the public subnet).

Step 2: Processing in App Tier
The web server hands the request to the App Tier, where the logic runs: checking user permissions, validating data, etc.

Step 3: Secure Storage in DB Tier
Once processed, the data is stored in an Amazon RDS MySQL database. The app tier instances talk to the database via private IPs only, secured with security groups.

   Internet User
        ↓
   Load Balancer
        ↓
   Web Tier (EC2 in Public Subnet)
        ↓
   App Tier (EC2 in Private Subnet)
        ↓
   DB Tier (Amazon RDS in Private Subnet)

Why This Setup Works Well

Scalable: Auto Scaling adds EC2s without breaking DB connections.
Secure: RDS never faces the internet.
Organized: Each tier has a clear responsibility.
Real-World Ready: This is the exact setup used in enterprise portals, e-commerce sites, and SaaS platforms.

If you’re planning your first project on AWS, try this pattern—it’s simple to start with, but powerful enough to grow into large-scale applications.

Stay tuned for updates..!

Smart Routing & Auto Scaling with ALB and ASG in AWS - Part 2

AKASH S — Sun, 10 Aug 2025 06:44:54 +0000

Introduction to Application Load Balancer (ALB)

As we went deeper into AWS, we discovered the Application Load Balancer (ALB) a more advanced and flexible version of CLB.

Unlike CLB, which sends traffic blindly, ALB is context-aware. It looks at the request’s path or hostname and decides which server should handle it.

How We Used ALB: Step-by-Step

1) Launched EC2 Instances

One for /app1
One for /app2
Each had its own custom index.html

2)Created Target Groups

Each group pointed to different EC2s
Configured health checks on /index.html

3)Created an ALB

Selected Internet-facing
Chose appropriate VPC and Availability Zones
Enabled HTTP listener on port 80
Assigned a security group with HTTP and SSH

4)Added Path-Based Routing Rules

/app1 → Target Group A
/app2 → Target Group B
We can also configure host-based routing (e.g., admin.ourapp.com)

Real-World Example: Online Food Ordering App

we’re building a Zomato or Swiggy-like app:

/menu → Served from one backend
/checkout → Comes from another backend
/admin → Managed through a different instance

Here, ALB works like a digital receptionist:

It understands our user’s request.
Then routes it to the correct backend based on the URL.

What About Auto Scaling Group (ASG)?

Once we configured ALB for smart routing, we integrated Auto Scaling Group (ASG) to handle traffic spikes automatically.

With ASG:

As traffic increases → New EC2s are launched automatically

As traffic drops → Unneeded EC2s are terminated

Real-World Example: IPL Live Score App

Imagine we're running a site that shows live cricket scores:

During the match, millions of fans visit the site → ASG launches extra instances
After the match, traffic reduces → ASG removes the extra machines

Meanwhile, ALB keeps routing traffic only to the healthy instances.

Summary:

ALB gives us smart routing based on URL paths or domains.
Target Groups help organize and manage our backend services.
ASG makes our application elastic, scaling with demand.

This was a game-changing learning experience — and we’re just getting started.
More AWS experiments coming soon!

📊AWS Load Balancers-Part 1

AKASH S — Thu, 07 Aug 2025 10:35:45 +0000

What is a Load Balancer?

In cloud computing, traffic isn't just about cars and roads — it’s about user requests and servers. A Load Balancer is like a traffic police officer at a junction, ensuring that vehicles (requests) are evenly distributed to available lanes (EC2 instances).

Without it, one server might crash due to heavy traffic while another sits idle. AWS Load Balancers help us avoid this by distributing load automatically and intelligently.

Types of Load Balancers in AWS:

AWS provides three types of load balancers under the Elastic Load Balancing (ELB) service:

Classic Load Balancer (CLB)

Legacy option; supports HTTP, HTTPS, and TCP
Simple round-robin routing
No advanced routing features

Application Load Balancer (ALB)

Used for HTTP and HTTPS
Supports path-based and host-based routing
Ideal for microservices and web apps

Network Load Balancer (NLB)

Designed for high-performance TCP and UDP traffic
Great for gaming, VoIP, real-time video streaming

Our Hands-On with Classic Load Balancer (CLB):

To understand how CLB works, we created two EC2 instances:

Each instance hosted a different static HTML page.
This allowed us to visually confirm where each request was being routed.

We then:

Created a Classic Load Balancer from the ELB dashboard.
Selected Internet-facing, configured VPC and availability zones.
Enabled HTTP (port 80) and SSH (port 22) in the Security Group.
Configured health checks using /index.html to monitor instance status.
Finally, we attached both instances to the load balancer.

When we visited the DNS name of the load balancer in our browser, we saw that it was alternating responses between the two EC2 instances thanks to the round-robin algorithm.

In Real World Example:

Imagine we’re at a food court with multiple counters. There's someone directing customers.
If one counter is full, they send the next customer to the next available one.
If a counter shuts down (instance fails), they stop directing people there.
That’s exactly how CLB works and it's basic, but it gets the job done.

It helped us understand:

How AWS distributes incoming traffic
The importance of health checks
Basic availability zone redundancy

But if we want smarter routing based on URL paths or subdomains, then it’s time to dive into ALB which we’ll explore in the next blog!📍📢

🌐📶AWS VPC: A Beginner's Guide - Part 2

AKASH S — Sun, 20 Jul 2025 18:18:53 +0000

Introduction:

In my last blog, I shared how to launch an EC2 instance inside a public subnet in a custom AWS VPC.

But what if we want more security — like running our application or database servers in a private subnet, isolated from the internet?

That’s where things like Private Subnets, NAT Gateways, and Bastion Hosts come in.

In this blog, We’ll Learn:

Setting up a private subnet in our existing VPC
Creating a NAT Gateway for internet access (outbound only)
Using a Bastion Host (jump server) to SSH into the private EC2
Let’s build a secure network architecture!

Recap: Components We Need..!

| Component                  | Description                                      |
| -------------------------- | ------------------------------------------------ |
| VPC                        | our existing Virtual Private Cloud              |
| Public Subnet              | Already created for Bastion Host                 |
| Private Subnet             | New subnet with no direct internet access        |
| Internet Gateway (IGW)**   | Already attached to VPC                          |
| NAT Gateway                | Needed for outbound internet from private subnet |
| Route Tables               | One for public, one for private subnet           |
| Bastion Host               | Public EC2 to connect securely to private EC2    |

Step-by-Step Setup

1. Use the Existing VPC
We’ve already created a VPC (e.g., 10.0.0.0/16), continue using it.

2. Create a Private Subnet

Go to Subnets > Create Subnet

Choose:

VPC: my-custom-vpc
Name: private-subnet
CIDR block: 10.0.2.0/24
Availability Zone: Same as NAT Gateway
Do NOT enable auto-assign public IP

3. Create a NAT Gateway

Go to NAT Gateway > Create

Choose:

Subnet: Our Public Subnet
Elastic IP: Allocate a new one
Name it: my-nat-gateway
Click Create NAT Gateway
NAT Gateway must be in a public subnet because it needs internet access via IGW.

4. Create a Private Route Table

Go to Route Tables > Create Route Table
Name: private-route-table
VPC: my-custom-vpc
Add Route:
Destination: 0.0.0.0/0
Target: NAT Gateway
Go to Subnet Associations
Select our private-subnet
Now, private subnet has outbound internet access only.

5. Launch EC2 in Private Subnet

Go to EC2 > Launch Instance

Choose:

Name: private-ec2
Amazon Linux 2
Subnet: private-subnet
Auto-assign Public IP: Disabled
Key Pair: Choose existing
Security Group:
Allow SSH from Bastion Host’s internal IP or SG
EC2 in private subnet won’t be accessible directly from our local machine.

6. Use Existing Public EC2 as Bastion Host to Access Private EC2

Connect to the Private EC2 (2-Hop SSH):

# Step 1: SSH into our public EC2 (Bastion Host)
ssh -i your-key.pem ec2-user@<Public-IP-of-Bastion>

# Step 2: From inside the Bastion EC2, SSH into the private EC2
ssh -i your-key.pem ec2-user@<Private-IP-of-Private-EC2>

8. Test Internet Connectivity

ping google.com

If it replies, then our NAT Gateway is working properly.

Points to Remember:

Private subnets increase security by not exposing EC2 to the internet directly
NAT Gateway allows outbound-only access (like updates, package installs)
Bastion Host is required to SSH into private EC2 (jump server setup)
CIDR blocks must remain within the VPC range (e.g., 10.0.0.0/16)

Thanks for Reading!

If you’re just getting started with AWS, this guide should help you take that first confident step into cloud networking.

Happy cloud building!🙌

🌐📶AWS VPC: A Beginner's Guide - Part 1

AKASH S — Sun, 20 Jul 2025 17:29:37 +0000

Introduction

When I first heard about VPC (Virtual Private Cloud), it felt overwhelming — CIDR blocks, subnets, gateways, and route tables sounded too complex. But once I broke it down and actually launched an EC2 instance inside a custom VPC, everything started making sense.

In this blog, We'll learn:

What a VPC is and why we use it
Key components like subnets, gateways, and routing
How to create a VPC step-by-step
How to launch an EC2 instance inside it and test the internet connection

What is a VPC?

A VPC (Virtual Private Cloud) is our own private space in the AWS cloud.Like our own virtual data center, where all our resources (EC2, databases, etc.) live — securely and privately.

VPC Components and its Explanation:

| Component                  | Description                                                            |
| -------------------------- | ---------------------------------------------------------------------- |
| VPC                        | our private cloud with a defined IP range                             |
| Public Subnet              | A subnet that can access the internet                                  |
| Private Subnet             | A subnet isolated from the internet                                    |
| Internet Gateway (IGW)     | Enables resources in public subnet to access the internet              |
| NAT Gateway                | Allows private subnet resources to access the internet (outbound only) |
| Route Table                | Controls routing decisions for subnets                                 |
| Subnet Association         | Binds a route table to a specific subnet                               |
| CIDR                       | IP address range for our VPC (like 10.0.0.0/16)                     |

What is CIDR?
CIDR (Classless Inter-Domain Routing) defines the size of the IP address block for our VPC or subnet.

For example:

10.0.0.0/16 gives you ~65,000 IPs
10.0.1.0/24 gives you 256 IPs

In AWS, VPC CIDRs can range from /16 (biggest) to /28 (smallest). For our demo, we’ll use 10.0.0.0/16.

Step-by-Step: Create a Custom VPC and Launch EC2:

Create a VPC

Go to VPC Dashboard
Click Create VPC
Choose:
Name: my-custom-vpc
IPv4 CIDR block: 10.0.0.0/16
Click Create

Now we have a VPC with 65,536 IPs!

Create a Public Subnet

Go to Subnets > Create Subnet
Choose our VPC: my-custom-vpc
CIDR block: 10.0.1.0/24
Availability Zone: (Choose one)
Enable auto-assign public IPv4 address

Create and Attach an Internet Gateway (IGW)

Go to Internet Gateways > Create IGW
Name it: my-igw
Click Create and then Attach to VPC → Choose my-custom-vpc

Create a Route Table

Go to Route Tables > Create
Name it: my-public-rt
Choose my-custom-vpc
After creating, click Edit Routes:
Add route: Destination 0.0.0.0/0, Target Internet Gateway
Go to Subnet Associations, attach our Public Subnet
Now our public subnet is internet-enabled.

Launch EC2 inside VPC

Go to EC2 > Launch Instance
Choose:
Name: my-ec2
Amazon Linux 2
Instance type: t2.micro (Free Tier)
Key pair: Create or choose existing
Network: Choose my-custom-vpc
Subnet: Choose my-public-subnet
Auto-assign Public IP: Enable
Add Security Group rule:
Allow SSH from our IP
Optional: Allow HTTP/HTTPS
Launch the instance

Connect to EC2 and Test Internet:

Open Git Bash or terminal
Run

chmod 400 your-key.pem
ssh -i your-key.pem ec2-user@<your-public-ip>

After login:

ping google.com

If we can see replies, our EC2 is connected to the internet via our custom VPC!

Points to Remember:

Every subnet must be within the VPC’s CIDR range
Public subnets require an IGW + correct route table
Auto-assigning Public IP is essential for internet access
Security groups act like firewalls — allow only what we need

Thanks for reading!

If you’re just getting started with AWS, this guide should help you take that first confident step into cloud networking.And wait for the next part of Connecting with Private Subnet and NAT Gateway..!

Happy cloud building! ☁️💻🚀

🔑Mastering AWS IAM: The Beginner-Friendly Way

AKASH S — Fri, 18 Jul 2025 13:36:31 +0000

What is IAM?

IAM (Identity and Access Management) is the heart of AWS security. It decides:

Who can access our AWS account
What they can do (read, write, delete, launch etc.)
Which services/resources they can interact with

IAM helps us securely control access without sharing our Root account (super admin--my free tier root user acc).

IAM Users:

A User = one person with credentials (username + password or access key).
Created by the Root user (owner of AWS account).
We give only the permissions they need, nothing more!

Real-world Example:

I’m the root user of my AWS Free Tier. I want my friend Sanjay to learn AWS but not touch everything.So I create an IAM user called sanjay, and give him access only to:

He now has his own login , and I can use my root user in my own.

IAM Groups:

A Group = collection of users with common permissions.
Instead of assigning policies to each user manually, just assign it to the group.

Real-world Example:
I have two teams:

ML Dev Team – needs SageMaker, Fargate
Fullstack Team – needs Amplify, Lambda

So I create 2 groups:

ML-Team: attach ML-related policies
FullStack-Team: attach web-related policies

Then I add users to the respective groups.

Giving Admin Powers (Team Leads)

Sometimes a user in the group needs more power than others (like a Team Lead).

We can do this in 2 ways:

Attach an additional policy to that user
Use an Inline Policy (explained below)

IAM Roles

A Role = permission container used by services, not users.
Helps one AWS service talk to another securely.

Real-world Example

I have an EC2 instance that needs to read data from an S3 bucket.
I create a Role with AmazonS3ReadOnlyAccess,
Then attach the role to the EC2 instance.

Now the EC2 can access S3 without any access keys. Fully secure..!

Inline Policy

A custom policy attached directly to a user or group.
Used for special, one-time permissions.
Gets deleted if the user is deleted.

Real-world Example

Sanjay needs temporary access to DynamoDB.
Instead of creating a new group, I create an inline policy just for him.

Resource Policy

Like Bucket Policy in S3
Used to control access directly from the resource itself.
Example: give access to specific users/folders inside an S3 bucket.

Real-world Example

One S3 bucket, two folders: ml/ and nlp/

User 1 needs access to ml/
User 2 needs access to nlp/

We will write a bucket policy like this:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::111122223333:user/user1" },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/ml/*"
    },
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::111122223333:user/user2" },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/nlp/*"
    }
  ]
}

We can add multiple users or groups in "Principal"!

Final Words

This blog is my personal IAM notes, written after I struggled to understand it and finally cracked it with real-world examples.

Hope it helps fellow beginners and AWS learners .

Happy Learning, Happy Securing ..!

📦EBS vs EFS - Understanding AWS Storage in Simple Terms

AKASH S — Fri, 18 Jul 2025 06:42:23 +0000

Introduction:

When working with Amazon EC2 instances in AWS, one important decision we'll face is choosing the right storage option.

Two popular choices provided by AWS are:

EBS (Elastic Block Store)
EFS (Elastic File System)

But when should we use EBS? And when does EFS make more sense?
Let’s break it down in the most beginner-friendly!

What is EBS (Elastic Block Store)?

Imagine EBS as the hard disk attached to our computer

Key points to note down:

Block-level storage (like HDD or SSD)
Attached to a single EC2 instance at a time
Stores all your system files, installed packages, project folders, .git, .ssh, etc.
Persistent — our data stays even after instance shutdown (unless deleted manually)

Example Use Case :

we're launching an EC2 instance to deploy a Flask app. we install Python, Docker, and some required libraries. All of this is stored in the EBS volume attached to our EC2. If we stop and restart the EC2, the data remains intact.

What is EFS (Elastic File System)?

Now we can think of EFS like a shared Google Drive. It's a network file system that multiple machines can connect to and use at the same time.
Key points to note down:

File-level storage (it save's ad folder and file structure as file explorer in windows)
Can be mounted on multiple EC2 instances simultaneously
Accessible over a network (NFS-Network File System)
Automatically scales as we store more data

Example Use Case :

Like we're part of a team using multiple EC2 instances to work on a shared dataset. we store that data in EFS, so everyone’s EC2 can read and write to it at the same time — like a shared workspace.

Table Comparison from Chat-GPT:

Conclusion:

EBS → Like your personal hard disk
EFS → Like a shared Google Drive folder for your team

If this helped you understand EBS vs EFS better, drop a ❤️ and let me know your thoughts in the comments. Happy Cloud Learning! ☁️💻