DEV Community: Hermann ESSOH

Host a static website on AWS: A detailed step-by-step guide

Hermann ESSOH — Fri, 24 Jan 2025 02:18:31 +0000

Table of content

Introduction
Prerequisites
VPC Creation
DNS Hostname setting in VPC
Internet Gateway (IGW) Creation
Subnets creation
Auto Assign IP in Public Subnets
Route Table creation for public subnets
NAT GAteway Creation
Route Table Creation for Private subnets
Security Groups Creation
EC2 Instance Connect Endpoint Creation
Application Load Balancer Creation
Website Installation on the EC2 Instance
Domain Name Registration In Route 53
Auto Scaling Group Creation
Accept the SNS Subscriptioon
Cleanup the resources

Introduction

To complete our project, we'll create a custom VPC for more security using the following reference architecture.

In this type of architecture, we've 3-tiers:

First Tier: We'll have the public subnet which holds resources such as NAT Gateway, Load Balancer, and Bastion Host
On the second tier, we'll have the private subnet which holds resources such as the webservers
And, on the third tier, we'll have another private subnet where we'll store the database. We'll duplicate the subnets across multiple (02) availability zones for High availability and Fault tolerance We'll also create an Internet Gateway (IGW) and custom Route Table to allow the resources in our public subnets to access the internet.

Project architecture overview:

Prerequisites

Good knowledge of the AWS Management Console
Good knowledge of AWS services such as VPC, EC2
Basic knowledge of Amazon Route 53 and CloudWatch

VPC Creation

VPC's name tag: Hermann VPC
VPC IPv4 CIDR: 12.0.0.0/16
Note: I deliberately chose to use the information above for this lab. You can customize it as well.

💡💡 To create a custom VPC, log in to the AWS management console. Once you're logged in, the first thing you have to do is select the region where you want to create your VPC.
To do that, first, click on the dropdown located at the top right of your screen between the gear wheel and your IAM username.

Then, select on the list, the appropriate region that will best suit your needs. It's advised to select the closest region to your customers to reduce latency. So, in my case, I select US EAST 1 (N. Virginia)

Once the region is set, let's create our custom VPC by getting to the VPC dashboard. Type VPC in the search bar and click on VPC in the search results.

In the VPC dashboard, click on Your VPCs, then hit the Create VPC button.

Fill in the blank spaces with the required information and click on Create VPC when you're done.

DNS Hostname Setting in VPC

⚠️⚠️ Before showing you how to enable the DNS Hostname in our newly created VPC, it's important to know why we're doing that. So, enabling the DNS hostname for the resources in our VPC simplifies the process of managing and connecting to those resources because it's easier to use a memorable hostname to design a resource in our network instead of an IP address.
To enable the DNS hostname in our custom VPC, click on the concerned VPC ID then click actions and select Edit VPC Settings

Scroll down to DNS settings, tick the checkbox next to Enable DNS hostname, and click Save to apply changes.

Internet Gateway Creation

Still, in the VPC dashboard under VPC, click on Internet Gateway, hit the Create Internet Gateway button, then enter the name tag of your IGW and click on Create IGW.

Once the IGW is created, we'll want to attach it to our custom vpc. Otherwise, the resources within our vpc won't have access to the internet. To do so, we click directly on attach vpc in the green notification bar or click on the action button and then, select "attach VPC".

Select the vpc and click on attach Internet gateway.

Subnets Creation

Availability Zone (AZ) 1a

Public Subnet AZ1a - IPv4 CIDR block : 12.0.1.0/24
Private App Subnet AZa - IPv4 CIDR block : 12.0.2.0/24
Private Data Subnet AZa - IPv4 CIDR block : 12.0.3.0/24

Availability Zone (AZ) 1b

Public Subnet AZb - IPv4 CIDR block : 12.0.4.0/24
Private App Subnet AZb - IPv4 CIDR block : 12.0.5.0/24
Private Data Subnet AZb - IPv4 CIDR block : 12.0.6.0/24

Note: These are just random CIDR Blocks I've created for this project. So, you can choose to use them or create yours. Also, the AZs can be modified but if for instance, you chose AZ 1c as your first AZ, stick to it and create all the subnets that should be created within the first AZ in AZ 1c.

Under Vpc, click subnet and click on create subnet

Select the vpc in which we're creating the subnets and enter the name of the subnet

Select the Availability zone, enter the IPv4 CIDR block of the subnet, and click on Create Subnet.
You repeat the process to create other subnets
💡Tips: Before clicking on Create subnet, you can click "add new subnet" five more times and specify the details of each subnet to create all six subnets at once. In this case, be meticulous while entering each subnet's information.

Once all subnets are created you'll have something similar on your screen when you filter in the search by vpc.

Auto assign IP in public subnets

Enabling auto-assign IP allows AWS to automatically assign a public IPv4 address to every resource we launch in those subnets. To do so,

Select the Public Subnet AZb then click on actions and select Edit Subnet settings.

Tick the checkbox to enable auto-assign IP and click save to validate the configuration. Repeat these two steps for the second public subnet.

Route Table Creation for Public subnets

Naming a subnet "public" subnet doesn't make it public; it's just for reference for our eyes and the same thing goes for Private subnets. For a subnet to be public, we'll have to create a route table that has a route to the internet and whatever subnet we'll associate this route table with, it will be public (accessible from the Internet). let's do it then.

In the VPC dashboard, select Route Tables and click Create route table

Name the route table, select the VPC in which we are creating it, and click Create route Table

Now that it has been created, we need to add a route to the Internet so that every subnet associated with it will be public or in other words, accessible from the Internet. Follow the steps on the first screenshot then click "Add Route"

Select or enter the destination as 0.0.0.0/0 to allow the RT to route traffic to the Internet, then under the target section, select Internet Gateway and pick up the IGW we created earlier. Through this configuration, we're saying that we want our traffic to have access to the Internet through the IGW

Let's make our subnets public by associating them with the RT

Now we've successfully made our Public subnets AZ1a and AZb accessible from the Internet.

Note⛔️: AWS automatically creates a route table in your VPC when you create it. This route table is the main route table and by default, it is private because when you look under routes, you can see that it doesn’t route traffic through the internet. It only has a local route.
So, anytime you create a subnet and you do not explicitly associate it with a route table, AWS automatically associates it with the main route table, making the subnet private.

NAT Gateway Creation

Note💡: The NAT Gateway allows resources in the private subnet in a VPC to have access to the Internet while blocking users from the Internet to access the resources. It acts like a shield that protects our resources from any threat on the Internet so that's why it's important to consider using it when it comes to privacy and resource protection.

According to our reference architecture, we should create two NAT Gateways in two different AZs. That's best practice when you’re building a VPC in a production environment at work. In this case, it’s better to create a NAT Gateway in each AZ in your VPC for high availability and fault tolerance. But Since the use of NAT Gateways is costly (I'm under the free tier), we're going to create just one for both availability zones to avoid expenses.

Access the VPC dashboard, click NAT Gateways, and then click Create NAT Gateway. Fill in the blanks with the appropriate information, select the public subnet in which you're creating the NAT Gateway, and allocate the elastic IP if there is none.

AWS will automatically assign one after clicking on Allocate Elastic IP. Finally, click on Create NAT Gateway

Great! you've successfully created your NAT Gateway. Now, wait some minutes and refresh the page to check the state of the newly created NAT Gateway. When the state changes to available, move to the next part of this guide.

Route Table Creation for Private subnets

As we previously did, access the VPC dashboard and select Route Tables. Next, click on Create Route table, give it a name, and select the custom VPC.

Let's add a route to allow the resources within the private subnets to access the Internet. Tick the checkbox before the private RT, then click the Route section and select edit routes

Click add route and select 0.0.0.0/0 as the destination. It implies that we want all traffic to reach anywhere. And, select NAT Gateway as Target and pick up the previously created NAT Gateway. This means we want our traffic to leave our network (VPC) to the Internet through the NAT Gateway. When all is done, save the changes to validate the action of creating the NAT Gateway.

Edit subnets association to link our four private subnets with this private route table.
Tick the checkbox before Private RT then click Actions and select edit subnets associations. Next, select all your private subnets and click Save associations

Security Groups Creation

Security groups are firewalls we use to regulate network traffic in our VPC. For this lab, we'll create 3 security groups:

The ALB security group: Will be added to the Application Load Balancer and allow traffic on port 80 (HTTP) and port 443 (HTTPS) from anywhere on the internet.
The EICE security group: We'll attach it to the EICE, open port 22 (SSH) on the outbound traffic, and limit the source to our VPC CIDR block or IPV4 address.
The App server security group: We'll add it to the EC2 instance and allow traffic on ports 80 (HTTP) and 443 (HTTPS) only when traffic comes from the ALB. We'll also allow traffic on port 22 only from our EC2 instance connect endpoint (EICE).

Access the VPC dashboard and scroll down to the security section. Click Security Groups then click Create Security Group and fill in the blank the SG information. Next, select the VPC and finally add the rules we specified earlier.

Let's start with the Application Load balancer Security Group: Fill in the name and description, select the appropriate VPC, and click add rule

Add the inbound rules (HTTP & HTTPS) we specified earlier to allow traffic from the internet and one outbound rule to give access to our resources to access the internet. Once it's done, click Create Security Group

EICE security group Still, in the security group dashboard, click Create Security Group and fill in the blank the information related to the EICE SG then choose the VPC

Next, specify the SSH rules for this SG to allow only resources within our network to SSH into the instance. We only allowed resources within our VPC to SSH into the web server by limiting the destination to the VPC IPV4 address. Click Create Security Group next

App server security group Access the SG creation dashboard, fill in the required information, and click add rule.

Open ports 80 and 443 by allowing incoming traffic through HTTP and HTTPS only from the ALB. Also, open port 22 to allow traffic through SSH only from the EC2 instance connect endpoint (EICE). Allow all outgoing traffic to the internet and click create security group.

To avoid any confusion, verify if all the rules were added. In the security group dashboard, select the App server SG and click the inbound rules section to check all the added rules.

EC2 Instance Connect Endpoint Creation

The EC2 Instance Connect Endpoint (EICE) allows you to connect to any resource in your VPC's public or private subnet without managing SSH keys.

We don't need a key pair if we intend to use an EC2 Instance Connect Endpoint to SSH into our EC2 instance.

Within the VPC dashboard, click endpoints and create an endpoint.

Fill in the endpoint's name, select the service category as EC2 Instance connect endpoint, and scroll down.

Choose the custom vpc and select any private subnet in which you'll be creating the endpoint. Do not forget to pick the EICE Security group we created earlier then click Create endpoint.

EC2 Instance Connect Endpoint Testing We'll launch an EC2 instance in a private subnet in our VPC. The purpose of this EC2 instance is to test whether we can connect to it using an EC2 instance connect endpoint. In the console search bar, type EC2 and access its dashboard. Click instances then launch instance.

Enter the instance's name, select its AMI, choose the instance type, and specify you'll proceed without a keypair since you'll be connecting using an EICE then click edit next to network settings.

Select your custom VPC, choose any private subnet, and select the dropdown to disable auto-assign public IP (our instance is being created in the private subnet, consequently, it doesn't have to get a public IP). Pickup Select existing security group as we've created all of the SGs earlier and choose the App server security group
When it's done, review all the settings and click Launch instance

Once we've launched the instance, we'll give it some time to pass the status check then we get to SSH into it. We can SSH either using the management console or the AWS CLI.

Let us connect using the management console
Still, in the EC2 dashboard, select the EC2 instance then click connect.

Select EC2 Instance connect, choose the connection type as connect using EICE, and pick up the only endpoint we created earlier. Once it's done, click Connect

And therein goes, we've successfully connected to the instance

Let's run this command to verify if the instance has access to the internet to download the packages sudo yum update -y
The outcome shows the instance has access to the internet

Let's SSH using the AWS CLI
Open Powershell if you're using Windows or the terminal on macOS. verify that AWS CLI is installed by typing the command aws --version and pressing enter on the keyboard. If you have the same outcome as on my screenshot you're good to go.
Next, enter the command above to ssh into the instance and hit enter:
aws ec2-instance-connect ssh --instance-id paste instance ID
You'll find the instance ID under the instance's details section above the Instance summary. Answer Yes to the question and there it goes, you've successfully SSH into the instance.
You can verify the instance's accessibility to the internet by typing the command sudo yum install httpd -y to install the Apache server.

The instance accessed the internet and successfully installed Apache.

All these tests allowed us to conclude the EICE works correctly. Now, follow the steps on the screenshots to terminate the instance since it was just for testing purposes

Application Load balancer Creation

We create an Application Load balancer to allow users to access the website we host on our server. But for security reasons, we'll place our instances in private subnets. To enable users from the Internet to access the website, we'll create a target group in which we'll put our servers so that the ALB will route traffic to them.

Target Group Creation: Within the EC2 dashboard, scroll down to Load balancing and select Target groups. Click Create Target Group and fill in the information as in the screenshots below.

Enter the target group name, choose the protocol port as HTTP and the protocol type as IPv4. Select the custom VPC and protocol version then click next

Leave all the other settings as default then click Create Target Group

Launch EC2 Instance: Under the EC2 dashboard, click instances then Launch instance

Fill in the blank space with the appropriate information, select the AMI and instance type, click the dropdown next to the keypair section select proceed without a keypair then click edit to customize the network settings

Choose the VPC we created earlier, select any private subnet, and disable auto-assign public IP since the instance is being created in the private subnet. Under firewall, choose to select existing security group and pick up the app server SG. Review all the settings and click Launch Instance

Add the EC2 Instance to the Target Group: On the EC2 dashboard, scroll. down to Load balancing and select Target Group, then click on the dev target group we previously created

Access the targets section and click register targets

Under available instances, select the web server AZa we just created and click include as pending below

Scroll down, check if the selected instance appears under review targets then click register pending targets to add the instance successfully to the target group

ALB Creation: Within the EC2 dashboard, click Load Balancer and hit the Create Load Balancer button at the top right of the screen

Click Create under Application Load Balancer and enter the custom information in the following step.

Enter the name of the ALB. Under scheme choose internet facing and under Load Balancer IP address type, choose IPv4

Scroll down to Network mapping section and apply the modifications below. Click on the dropdown under VPC and select your custom VPC. Since we only have two AZs within our VPC, they'll appear in the mappings section. So, select the first AZ, and pick up the public subnet under subnet subsection. Then, select the second AZ and click on the dropdown under subnet subsection to choose the public subnet in AZ2
Note: ALB only works in the public subnet

Go to the security groups section and click on the X to remove the default security group. Then, select the dropdown menu and select the ALB security group from among all the SGs we created earlier.
Please scroll down to Listeners and Routing and select the default action of the HTTP protocol as the Target group so that the HTTP listener will route traffic to our Dev Target group

When it's done, leave other settings as default and scroll down to the summary section to check if all was set properly. If everything is okay, click Create Application Load Balancer and that was all.

Website installation on the EC2 Instance

#!/bin/bash

# Switch to the root user to gain full administrative privileges
sudo su

# Update all installed packages to their latest versions
yum update -y

# Install Apache HTTP Server
yum install -y httpd

# Change the current working directory to the Apache web root
cd /var/www/html

# Install Git
yum install git -y

# Clone the project GitHub repository to the current directory
git clone https://github.com/Walter-Obrien/Host-a-static-website-on-AWS.git

# Copy all files, including hidden ones, from the cloned repository to the Apache web root
cp -R Host-a-static-website-on-AWS/. /var/www/html/

# Remove the cloned repository directory to clean up unnecessary files
rm -rf Host-a-static-website-on-AWS

# Enable the Apache HTTP Server to start automatically at system boot
systemctl enable httpd 

# Start the Apache HTTP Server to serve web content
systemctl start httpd

⚠️ ⚠️ Remember to update my URL on line 17 of the code (https://github.com/Walter-Obrien/Host-a-static-website-on-AWS.git
) to the URL of your GitHub repository. And, whatever name you give to your GitHub repository (mine is Host-a-static-website-on-AWS), that'll be the same name you'll enter on the two following lines (lines 20 and 23 of the code).
However, you can still use my URL. Since my GitHub repository is public, you can still download the code from it. But if you want to do it from your repository, you should consider updating the values I stated up there.

SSH into the EC2 Instance then run the above commands: Follow the same steps we previously used to SSH into our instance using the EICE. Once you're connected, run the above commands one after another.
We now need to verify if we can access our website: To do that we have to use the DNS name of our ALB.
Go to the EC2 dashboard, scroll down to Load Balancing, and select Load Balancers. You'll see your ALB, copy its DNS name, open a new tab in your browser, paste it and press enter.

And boom 👏🏾👏🏾👏🏾

Domain Name Registration In Route 53

Now that we've installed our website and can access it using the DNS name of our ALB, we'll set up the DNS configuration for our website by registering a domain name in Route 53 that the end-user will use to access our website instead of the DNS name of our ALB.
In addition, we'll request an SSL certificate to ensure that the communication between our website and the end users is secure.

So, to register a domain name, type Route 53 in the search box and select it.
In the Route 53 dashboard, check the availability of the domain name you intend to use

If available, click select and proceed to checkout

Activate or no Auto renew then click next

Fill in your personal information then turn on privacy protection for all contacts before clicking next

Review the settings, tick the checkbox to agree to the end-user agreement, and click submit. Since I have a registered domain already, I won't submit my request, check out my domain name on the third screenshot

Let's create an A record in the Route 53 hosted zone to point our domain name to the ALB: Access the Route 53 dashboard, click on the number displayed under DNS management, and get to the hosted zones.

Once in hosted zones, click on your domain name, access the record section, and click Create record

Type in the record name as www, leave the record type set to route traffic to an IPv4 address then toggle the alias on. Under Choose endpoint, select the dropdown and pick A_lias to application and classic load balancer_ then choose the region where you created your ALB. Under choose Load balancer, select the dropdown, and pick up your ALB. When it's all set, click Create record

Check the status of the A record by clicking View status. It will be pending, wait until it shows INSYNC under status.

When the status changes to INSYNC, go back to the hosted zones details and tick the checkbox aside from your domain name. Copy the record name and open a new tab in your web browser

Paste the copied record name and press enter. Booom!! we can access our website from our domain name which points to our ALB

Request an SSL Certificate: If you noticed, we can access our website using our domain name but the communication between the web browser and the website is not secure. So, an SSL Certificate will help us encrypt all communications between both entities to make it more secure

To do that, access the Certificate Manager dashboard by typing it in the search bar. Once. once dashboard, click Request a certificate.

Select the certificate type as public and click next

Fill in the domain name then click add another name to this certificate. Enter your domain name the same way you see I did in the second row.
Choose the validation method as DNS and click Request certificate

View the certificate and check its status. It'll be pending validation because we need to create a record set in Route 53 to validate that this domain belongs to us. So, scroll down to domain and click Create Records in Route 53. On the next page, select the two domain names we entered previously (those are the ones we're creating the record set for) and click Create record

when it's done refresh the page and the status will be issued.

HTTPS Listener setup for the ALB: Here we'll use the SSL Certificate we registered previously to secure all web communications to our website. Access the EC2 dashboard, scroll down to Load balancing, click load balancers, and select your load balancer. Get to the Listeners and Rules section and click Add listener

Choose HTTPS as protocol, set the routing actions as forward to target groups, and pick up your target group

Leave the security policy as default, set the certificate source to From ACM, select the certificate created earlier, and click add

HTTP to HTTPS: We have to modify our HTTP listener to redirect traffic from port 80 that's not secure to HTTPS To do that, select the HTTP listener, click the dropdown next to manage listener, and select edit listener.

Set the routing actions to Redirect to URL, select Full URL, and leave other settings as default before clicking Save Changes.

We have successfully modified the listener and it is now redirecting its traffic to HTTPS.

Open a new tab, enter your domain name in the URL bar, and click enter. You'll notice the https protocol which means all communication between the web browser and the website is secure.

Auto Scaling Group creation

We'll set an ASG to ensure that our website is always available and fault-tolerant. The ASG will dynamically add and remove instances/web servers as needed. Before going to that, we'll need to terminate the instance (Webserver AZa) we manually created upward to allow our ASG to dynamically create our EC2 instance.

Here's the script we'll use for the Launch template.

#!/bin/bash

# Switch to the root user to gain full administrative privileges
sudo su

# Update all installed packages to their latest versions
yum update -y

# Install Apache HTTP Server
yum install -y httpd

# Change the current working directory to the Apache web root
cd /var/www/html

# Install Git
yum install git -y

# Clone the project GitHub repository to the current directory
git clone https://github.com/Walter-Obrien/Host-a-static-website-on-AWS.git

# Copy all files, including hidden ones, from the cloned repository to the Apache web root
cp -R Host-a-static-website-on-AWS/. /var/www/html/

# Remove the cloned repository directory to clean up unnecessary files
rm -rf Host-a-static-website-on-AWS

# Enable the Apache HTTP Server to start automatically at system boot
systemctl enable httpd 

# Start the Apache HTTP Server to serve web content
systemctl start httpd

It's the same script we previously used just that we added #!/bin/bash at the beginning to tell the interpreter to use bash to execute all the following commands.

Launch Template Creation: Access the EC2 dashboard, scroll down to Instances, and select Launch Templates. Click Create Launch template

Give it a name and description, then tick the checkbox under Auto Scaling Guidance since we'll use this template with EC2 Autoscaling

Pick up the AMI, specify the instance type, and set the keypair as shown on the screenshot.

Under the network settings, select an existing security group and pick up the App server security group. Scroll down to advanced settings

Copy the script I provided upward and paste it into the user data field. Review all settings on the right side of the screen then click Create Launch template

ASG Creation: In the EC2 dashboard, scroll down to Auto Scaling and select Auto Scaling Group. Then click Create Auto Scaling Group.

Enter the ASG name and choose the launch Template. Select the custom VPC we created earlier and choose both private App subnets

Under Load balancing, select attach to an existing load balancer, then select choose from your load balancer target group. Pick up the Dev-TG. Under health check, turn on elastic load balancing health checks. Also, enable group metrics collection within Cloudwatch under additional settings then click next

Set the desired capacity on 2, then specify minimum & maximum desired capacity under scaling limits as shown on the screenshots.

Choose to use a target tracking policy then specify the scaling policy name, metric type, target value and instance warmup

Under instance maintenance policy, select no policy and click next

Add a notification topic to create alerts on SNS. Specify the name of the topic and the email address that'll receive the notifications. Don't forget to click next when you're done.

Under the Tags section, specify the value, then click Next, and review all the settings before validating the ASG creation

We've successfully created the ASG and the desired capacity is 2. That means that if we go into the EC2 instance console, we'll see two instances there that are being launched.

⚠️ Note: When our ASG creates these instances, it will add them to the Target group so that the Application Load Balancer can route traffic to them. So let's verify that the instances are in the Target Group and that the Target Group is healthy.

Scroll down to Load Balancing, select target group, and click on the Dev-TG

Get down to the Targets section and check the health status

After verifying this, let's double-check if we can access our website. Open a new tab in your browser and enter the domain name we created earlier. We can notice that the website is fully encrypted and that the server that the website is installed on, is the server we created by the ASG

Accept the SNS Subscription

To confirm the SNS topic we created in the previous step, access the email address you used to subscribe to the SNS topic. Once you're in, select the email from AWS notifications and click on confirm subscription included in the email

Now let's access the SNS service within the AWS management console to check if the status is confirmed. Once the SNS status is confirmed, it means that AWS will notify you of your ASG activities.

Cleanup the resources

Auto Scaling group cleanup
Launch Template deletion
SNS topic deletion
Application Load Balancer deletion
Target Group deletion
EC2 Instance connect Endpoint deletion
NAT Gateway deletion
Release Elastic IP address
Security Group deletion
VPC deletion

We've successfully deleted all the resources we used to complete this project. Thanks for following throughout and I hope I helped you improve your skills today bye ✌🏽

How to create a VPC Peering connection?

Hermann ESSOH — Tue, 20 Aug 2024 20:12:00 +0000

Table of content

Introduction
Prerequisites
VPCs Creation
Route tables creation
Subnets Creation
Route tables and subnets association
Grant Internet access to route tables
Provision VPCs with EC2 Instances
Set up the VPC peering connection
Update the route tables
Testing the peering connection
Conclusion
Resources

Introduction

VPC Peering can be defined as the concept of bringing two VPCs together, allowing instances running into each of them to communicate, share resources, and collaborate as if they're all in the same network. From the definition above, there's no need to explain why VPC peering is important (I'll rather let you discover how important it is in the guide if you've not pictured it yet 😁). The diagram below represents the architecture of the peering connection we'll be implementing during this project. So, without any further ado, let's get started

Prerequisites

All you need is a good knowledge of the AWS Management Console to easily navigate through it.

VPCs Creation

Step 1: Log into your AWS console then access the VPC dashboard. Next, click Your VPCs on the panel on your left.

Step 2: As we'll have to create two different VPCs, this step will be done twice but with different names and IP ranges for each VPC.
1st VPC: testing-vpc-1 --- IPv4 CIDR: 11.0.0.0/16
2nd VPC: testing-vpc-2 --- IPv4 CIDR: 10.0.0.0/16
Click create VPC then enter the VPC's pieces of information accordingly. When everything is set, hit create VPC

Route tables creation

After creating our VPCs we need to create Route tables so that they will route traffic to our subnets.
Step 1: Let's go back to the VPC dashboard click on "Route table" on the left side of the panel and click on "Create route table"

Step 2: Fill in the blank space with the information related to the route table and select the VPC to which it'll be associated. When it's done hit the "Create route table" button

Step 3: Repeat the steps above to create the second Route table for testing-vpc-2

Subnets Creation

Step 1: Still on the VPC dashboard, click on subnets on the left panel and click on create subnet

Step 2:Choose the vpc for private subnet 1 and enter the name of the subnet

Step 3: Choose the availability zone and enter the IPV4 CIDR block 11.0.1.0/24 for the subnet we're creating. click on "create subnet" and our public-subnet-vpc-1 is created

⛔️Repeat the same steps to create the private-subnet-vpc-2 with IPV4 CIDR Block 10.0.1.0/24

Route tables and subnets association

We attach a route table to our subnet to allow communication in the network.
Step 1: Go back to the VPC dashboard. From there select route table on the left panel and click on test-rt-vpc-1 route table ID

Step 2: Select "subnet associations" and click on "edit subnet associations"

Step 3: Click on the checkbox to select public-subnet-vpc-1 as the subnet to associate with test-rt-vpc-1 and validate on "save associations". You'll have the message in the green box confirming the association

⛔️Repeat the same steps to associate private-subnet-vpc-2 to test-rt-vpc-2

Grant Internet access to Route tables using IGW

Step 1: Under the VPC section, click on "Internet gateways" and click on "Create Internet gateway"

Step 2: Enter the name of the IGW related to vpc 1 and hit the "Create Internet Gateway" button

Step 3: You'll receive a notification in the green box stating the Internet Gateway was created but you need to attach it to your VPC. Click on "Attach to a VPC"

Step 4: Click the dropdown, select VPC 1, and click on "Attach Internet Gateway". You'll receive a notification in a green box confirming what you've just succeded in doing.

⛔️Follow the same steps to create test-igw-vpc-2 and attach it to VPC 2

Step 5: Let's create a route for the Internet using the Internet Gateway to allow access from the Internet in testing-subnet-vpc-1.
Still, on the VPC dashboard, click on "Route tables", select test-rt-vpc-1 by checking the box, and click on "Routes"

Step 6: Click on "Add route", and select 0.0.0.0/0 (access from anywhere) as we want our resource to be accessible from the Internet. Next, select the dropdown, choose "Internet gateway" among the options, and pick up the Internet Gateway attached to VPC 1. When it's done, click on Save changes

⛔️Repeat the same steps to grant Internet access to the resources in testing-subnet-vpc-2

EC2 instances provision in VPCs

Step 1: Type in the search box EC2 to quickly search the service and click on the outcome to access its dashboard. On the left panel of the EC2 dashboard, click "Instances" and hit the "Launch Instance" button at the top right of the screen

Step 2: Type in the first blank space the Instance name, select the AMI on which our Instance will be running, and the Instance type

Step 3: Create a keypair to securely connect to the instance. Under the Key pair section, Click "Create new key pair"

Then enter the Key pair details: name, type, format, and hit "Create key pair". It'll be automatically downloaded into your default directory. make sure to move/copy it into the directory you'll ssh from.

Step 4: Edit the network settings. Aside from network settings, there's an edit button you should click on to specify the network configurations for vpc-1-ec2-instance

Select Testing-vpc-1 as the network the Instance will be running under, pick up Public-subnet-vpc-1, select enable under the "Auto-assign public IP, check "Create security group" checkbox and leave the name and description as default.

Under the "Inbound security group rules" section, leave the first rule as SSH on port 22 and select the source type as anywhere to allow secure remote access from anywhere to the instance. Then, click on "Add a security group rule"

Also, allow HTTP on port 80 from anywhere to authorize traffic from the Internet to reach the instance.

Step 5: Create Instance. Leave other settings as default and under user data, enter the script below to directly update the server, install Apache2, and restart the server when booting the Instance. Then launch the Instance.

#!/bin/bash
yes | sudo apt update
yes | sudo apt install apache2
echo "<h1>Server Details</h1><p><strong>Hostname:</strong> $(hostname)</p><p><strong>IP Address:</strong> $/hostname -I | cut -d" "-f1)</p>" >
var/www/html/index.html
sudo systemctl restart apache2

Step 6: Connect to the instance for testing purposes. Click on the Instance ID of our newly created Instance and click on open address

Here's the display that shows us our Instance is up and running. It's the default Apache page, it can be changed to display the content we want but because I don't want this article lengthier than it is already, we'll leave it like that. I may write another article to show you how to go about that.

⛔️ Repeat the steps to create vpc-2-ec2-instance and connect to it.

Setting up the VPC Peering connection

Step 1: Access back the vpc dashboard. At the left side of the screen, click peering connections then hit the create peering connection at the top right side of the screen.

Step 2: Enter the peering connection's name and select Testing-vpc-1 as the requester, enter its CIDR (11.0.0.0/16) in the next box and select "my account" as the second vpc we'll be peering this with is still in our account.
💡An Inter-region VPC peering connection is when the peered VPCs are in two different regions

Step 3: Select "this region (us-east-1)" (it may be different from your side if you created your VPCs in a different region), select Testing-vpc-2 as the accepter vpc, enter its CIDR (10.0.0.0/16) and click on "create peering connection"

Step 4: After creating a peering connection, a request is sent by the requester vpc to the accepter vpc. this later has to approve or accept the connection to establish the peering connection. To do so, click on the dropdown aside action and select "accept request"

Step 5: Verify the requester and accepter and click on accept request.

Step 6: Our vpc peering connection is successfully established. Now let's update our route tables for a vpc peering connection. To do so, click on modify my route tables now

Modify or update your route tables for a VPC peering connection

Step 1: Access test-rt-vpc-1 by clicking on its ID then click on "edit routes"

Step 2: Click on add route and copy testing-rt-vpc-2 IPV4 CIDR in the clipboard.

Paste the copied IPV4 CIDR as the destination of our route table testing-rt-vpc-1, click on the dropdown under target, select "peering connection", choose the created peering connection then save all changes.

We've successfully added a new route to the "testing-rt-vpc-1" route table.

⛔️ Replicate the steps above to add a new route to the "testing-rt-vpc-2" route table as well.

Testing

Step 1: Change permissions
a- Open your terminal and check the availability of your keys by entering this command: Ls -lart.
Ensure you're in the same directory in which you stored your key pairs. If you are not, change your directory with the cd command
b- Change the permission for both Instances to give the read (r) only permission. Enter the command :
chmod 400 vpc-1-ec2-keypair.pem
chmod 400 vpc-2-ec2-keypair.pem
c- Check permissions once again with Ls -lart. You'll notice there's no more "write (w)" permission for both key pairs.

Step 2: SSH into both created instances
SSH into vpc-1-ec2-Instance. Enter the command:
ssh -i "vpc-1-ec2-keypair.pem" ubuntu@44.192.57.248 press enter on the keyboard and answer yes to the following question. And there it goes, you've successfully SSH into your vpc-1-ec2-instance.

⛔️ Replicate this step 2 to SSH into vpc-2-ec2-instance

I split my terminal and you'll notice that we're successfully connected to both ec2 Instances.

Step 3: Curl from each instance
⚠️ Unexpectedly, I had to terminate my ec2 instances and create new ones. You'll notice the public IP addresses in this screenshot are different from the ones above, don't mind that.

Now, let's access vpc-2-ec2-instance from vpc-1-ec2-instance and vice versa. To do so, we use the curl command followed by the private IP address of the instance we want to access.

As we're able to access one instance from the other, it simply means that the vpc peering connection has been successfully established ✅.

Conclusion

A VPC peering connection is of the greatest importance in today's digital world when it comes to creating private and secure communication between entities such as companies, branch offices of the same company, business units, or departments for an effective workflow. It's helpful as well for businesses looking to scale, allowing them to share resources, to collaborate with partners across the globe while maintaining the security and performance of their network, and to coordinate a wide project between two or more separate branches in different countries, and cities. So, by creating a peering connection we contribute to preventing delays and failures of projects and building robust cloud infrastructure.

DEV Community: Hermann ESSOH

Host a static website on AWS: A detailed step-by-step guide

Table of content

Introduction

Prerequisites

VPC Creation

DNS Hostname Setting in VPC

Internet Gateway Creation

Subnets Creation

Auto assign IP in public subnets

Route Table Creation for Public subnets

NAT Gateway Creation

Route Table Creation for Private subnets

Security Groups Creation

EC2 Instance Connect Endpoint Creation

Application Load balancer Creation

Website installation on the EC2 Instance

Domain Name Registration In Route 53

Auto Scaling Group creation

Accept the SNS Subscription

Cleanup the resources

How to create a VPC Peering connection?

Table of content

Introduction

Prerequisites

VPCs Creation

Route tables creation

Subnets Creation

Route tables and subnets association

Grant Internet access to Route tables using IGW

EC2 instances provision in VPCs

Setting up the VPC Peering connection

Modify or update your route tables for a VPC peering connection

Testing

Conclusion

Resources