DEV Community: Ifeanyi Nworji The latest articles on DEV Community by Ifeanyi Nworji (@ifeanyi_nworji). https://dev.to/ifeanyi_nworji https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1832774%2Fc7139dd0-ceb9-4b43-be96-77cc04b39b5d.jpg DEV Community: Ifeanyi Nworji https://dev.to/ifeanyi_nworji en Blue/Green Deployment with Nginx Upstreams Using Docker Compose Ifeanyi Nworji Sat, 13 Dec 2025 07:37:02 +0000 https://dev.to/ifeanyi_nworji/bluegreen-deployment-with-nginx-upstreams-using-docker-compose-5cn1 https://dev.to/ifeanyi_nworji/bluegreen-deployment-with-nginx-upstreams-using-docker-compose-5cn1 <p><strong>Auto-Failover, Zero Downtime, and Manual Traffic Switching</strong></p> <p>One of the core responsibilities of a DevOps engineer is ensuring application availability in the presence of failure. Downtime is rarely caused by deployments themselves, but by how traffic is handled when something goes wrong.</p> <p>In Stage 2 of my DevOps internship, I implemented a Blue/Green deployment architecture using Nginx upstreams and Docker Compose, focusing on:</p> <ul> <li>Zero failed client requests during outages</li> <li>Automatic failover within a single request</li> <li>Manual traffic switching without restarting containers</li> <li>No application code changes</li> <li>No image rebuilds</li> </ul> <p>This article is a beginner-friendly but production-accurate walkthrough of the solution, explaining both the configuration and the runtime behavior in detail.</p> <p><strong>Problem Overview</strong></p> <p>We are provided with two identical Node.js services packaged as pre-built Docker images:</p> <ul> <li>Blue — primary (active)</li> <li>Green — backup</li> </ul> <p>Each service exposes the following endpoints:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>GET /version</code></td> <td>Returns JSON + headers</td> </tr> <tr> <td><code>GET /healthz</code></td> <td>Liveness check</td> </tr> <tr> <td><code>POST /chaos/start</code></td> <td>Simulates failure</td> </tr> <tr> <td><code>POST /chaos/stop</code></td> <td>Restores service</td> </tr> </tbody> </table></div> <p>The task is to place Nginx in front of both services and guarantee:</p> <ul> <li>All traffic goes to Blue by default</li> <li>On Blue failure, Nginx automatically switches to Green</li> <li>No client request returns non-200 during failover</li> <li>Application response headers are forwarded unchanged</li> <li>Traffic can be manually toggled between Blue and Green</li> </ul> <p><strong>Architecture Overview</strong><br> The final architecture is intentionally simple and production-aligned:</p> <p>Client --&gt; Nginx (8080) --&gt; Blue App (8081) OR failover to Green App (8082)</p> <p>Key characteristics:</p> <ul> <li>Nginx is the single public entrypoint</li> <li>Blue/Green run simultaneously</li> <li>Docker Compose orchestrates everything</li> <li>No Kubernetes, no service mesh, no rebuilds</li> </ul> <p><strong>Environment-Driven Configuration</strong></p> <p>All behavior is controlled via environment variables, making the setup CI-friendly and reproducible.</p> <p>Key variables:</p> <ul> <li>BLUE_IMAGE, GREEN_IMAGE</li> <li>ACTIVE_POOL (blue or green)</li> <li>RELEASE_ID_BLUE, RELEASE_ID_GREEN</li> <li>PORT, BLUE_PORT, GREEN_PORT</li> <li>NGINX_PORT</li> </ul> <p>This design ensures:</p> <ul> <li>No hardcoded values</li> <li>Safe traffic switching</li> <li>Easy automated verification</li> </ul> <p><strong>Docker Compose: Service Breakdown</strong></p> <p>Blue Application Service<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">app_blue</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${BLUE_IMAGE}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">app_blue</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">PORT=${PORT}</span> <span class="pi">-</span> <span class="s">RELEASE_ID=${RELEASE_ID_BLUE}</span> <span class="pi">-</span> <span class="s">APP_POOL=blue</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">${PORT}"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">${BLUE_PORT}:${PORT}"</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">node</span><span class="nv"> </span><span class="s">-e</span><span class="nv"> </span><span class="se">\"</span><span class="s">process.exit(0)</span><span class="se">\"</span><span class="s">"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">2s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> </code></pre> </div> <p>What this achieves:</p> <ul> <li>Runs the provided Blue image without modification</li> <li>Injects runtime metadata used in response headers</li> <li>Exposes the service internally to Nginx</li> <li>Maps a direct port (8081) for chaos testing</li> <li>Keeps the container healthy and restartable</li> </ul> <p>The Green service is identical, differing only in image, release ID, and port.<br> This symmetry is critical for Blue/Green deployments.</p> <p>Nginx Reverse Proxy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">${NGINX_PORT}:80"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx/nginx.tmpl:/etc/nginx/templates/default.conf.template:ro</span> <span class="pi">-</span> <span class="s">./nginx/entrypoint.sh:/docker-entrypoint.d/10-envsubst.sh:ro</span> <span class="pi">-</span> <span class="s">./nginx-logs:/var/log/nginx</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ACTIVE_POOL=${ACTIVE_POOL}</span> <span class="pi">-</span> <span class="s">PORT=${PORT}</span> </code></pre> </div> <p>Key decisions:</p> <ul> <li>Nginx is the only public interface</li> <li>Configuration is templated, not static</li> <li>Logs are persisted for inspection and alerting</li> <li>No container restarts needed for traffic switching</li> </ul> <p><strong>Nginx Upstreams: Blue/Green Routing</strong></p> <p>The heart of the solution lies in the Nginx upstream configuration.</p> <p><strong>Timeout and Retry Configuration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">proxy_connect_timeout</span> <span class="s">1s</span><span class="p">;</span> <span class="k">proxy_read_timeout</span> <span class="s">5s</span><span class="p">;</span> <span class="k">proxy_send_timeout</span> <span class="s">3s</span><span class="p">;</span> <span class="k">proxy_next_upstream</span> <span class="s">error</span> <span class="s">timeout</span> <span class="s">http_500</span> <span class="s">http_502</span> <span class="s">http_503</span> <span class="s">http_504</span><span class="p">;</span> <span class="k">proxy_next_upstream_tries</span> <span class="mi">2</span><span class="p">;</span> <span class="k">proxy_next_upstream_timeout</span> <span class="s">8s</span><span class="p">;</span> </code></pre> </div> <p>These values ensure:</p> <ul> <li>Failures are detected quickly</li> <li>Retries happen automatically</li> <li>Total request time remains under 10 seconds</li> <li>Clients never see partial or failed responses</li> </ul> <p><strong>Primary / Backup Upstreams</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">blue</span> <span class="p">{</span> <span class="kn">server</span> <span class="s">app_blue:</span>$<span class="p">{</span><span class="kn">PORT</span><span class="err">}</span> <span class="s">max_fails=1</span> <span class="s">fail_timeout=5s</span><span class="p">;</span> <span class="kn">server</span> <span class="s">app_green:</span>$<span class="p">{</span><span class="kn">PORT</span><span class="err">}</span> <span class="s">backup</span><span class="p">;</span> <span class="p">}</span> <span class="kn">upstream</span> <span class="s">green</span> <span class="p">{</span> <span class="kn">server</span> <span class="s">app_green:</span>$<span class="p">{</span><span class="kn">PORT</span><span class="err">}</span> <span class="s">max_fails=1</span> <span class="s">fail_timeout=5s</span><span class="p">;</span> <span class="kn">server</span> <span class="s">app_blue:</span>$<span class="p">{</span><span class="kn">PORT</span><span class="err">}</span> <span class="s">backup</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why this works:</strong></p> <ul> <li>max_fails=1 marks the primary unhealthy after a single failure</li> <li>fail_timeout=5s enables fast recovery</li> <li>backup ensures Green is only used when Blue fails</li> <li>The same config supports both active pools</li> </ul> <p><strong>Deep Dive: Request Flow During Failure</strong><br> This is the most important part of the system.</p> <p><strong>Normal Operation</strong></p> <ol> <li>Client sends: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>GET http://localhost:8080/version </code></pre> </div> <ol> <li>Nginx forwards to Blue</li> <li>Blue responds with 200</li> <li>Headers returned: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>X-App-Pool: blue X-Release-Id: &lt;RELEASE_ID_BLUE&gt; </code></pre> </div> <p><strong>Failure Scenario (Blue Down)</strong></p> <p>Chaos is induced directly on Blue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>POST http://localhost:8081/chaos/start?mode<span class="o">=</span>error </code></pre> </div> <p>Now let’s trace a single client request.</p> <p>Step 1: Request Hits Nginx</p> <p>The client is unaware of Blue or Green.</p> <p>Step 2: Nginx Proxies to Blue</p> <p>Blue is the primary upstream.</p> <p>Step 3: Blue Fails</p> <p>Blue returns a 5xx or times out.</p> <p>Step 4: Nginx Intercepts the Failure</p> <p>Because of:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>proxy_next_upstream error <span class="nb">timeout </span>http_5xx<span class="p">;</span> </code></pre> </div> <p>Nginx does not forward the failure to the client.</p> <p>Step 5: Immediate Retry to Green</p> <p>Within the same client request, Nginx retries the request to Green.</p> <p>Step 6: Green Responds Successfully</p> <p>Green returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP 200 X-App-Pool: green X-Release-Id: &lt;RELEASE_ID_GREEN&gt; </code></pre> </div> <p>Result:<br> The client sees HTTP 200, even though Blue failed.</p> <p><strong>Why Proxy Buffering Matters</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>proxy_buffering on<span class="p">;</span> </code></pre> </div> <p>This ensures Nginx does not stream partial responses.<br> If Blue fails mid-request, Nginx can safely retry Green without exposing errors to clients.</p> <p><strong>Header Preservation</strong><br> Each application response includes:</p> <ul> <li>X-App-Pool</li> <li>X-Release-Id Nginx forwards these headers unchanged: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>proxy_pass_header X-App-Pool<span class="p">;</span> proxy_pass_header X-Release-Id<span class="p">;</span> </code></pre> </div> <p>This allows:</p> <p>CI validation</p> <p>Runtime verification</p> <p>Clear observability of which pool served the request</p> <p><strong>Manual Blue/Green Switching</strong></p> <p>Traffic switching is handled by configuration templating.</p> <p><strong>Entrypoint Script</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envsubst <span class="s1">'$ACTIVE_POOL $PORT $RELEASE_ID_BLUE $RELEASE_ID_GREEN'</span> <span class="se">\</span> &lt; default.conf.template <span class="o">&gt;</span> default.conf </code></pre> </div> <p>This allows:</p> <ul> <li>Changing ACTIVE_POOL=green</li> <li>Regenerating the Nginx config</li> <li>Reloading Nginx without downtime No containers are restarted.</li> </ul> <p><strong>Stability Under Sustained Failure</strong><br> During a ~10 second request loop:</p> <ul> <li>Zero non-200 responses</li> <li>≥95% responses from Green</li> <li>Blue remains isolated until healthy</li> </ul> <p>This satisfies all grader stability requirements.</p> <p><strong>Key Takeaways</strong></p> <p>This project demonstrates:</p> <ul> <li>Blue/Green deployment without Kubernetes</li> <li>Auto-failover within a single HTTP request</li> <li>Resilience implemented at the proxy layer</li> <li>Environment-driven infrastructure design</li> <li>Production-grade reliability using simple tools</li> </ul> <p><strong>Conclusion</strong></p> <p>High availability is not about avoiding failure—it’s about handling failure correctly.</p> <p>By combining Nginx upstreams, Docker Compose, and strict timeout and retry controls, we achieve:</p> <ul> <li>Zero downtime</li> <li>Safe rollbacks</li> <li>Transparent failover</li> <li>CI-ready verification</li> </ul> <p>This approach mirrors real production systems and is an excellent foundation for any DevOps engineer.</p> <p>If you’re learning DevOps, mastering patterns like this matters far more than chasing tools. Reliability is a design choice.<br> <a href="https://github.com/KellsCodes/Blue-Green-with-Nginx-Upstreams" rel="noopener noreferrer">Explore the code here</a></p> webdev programming devops Automating Dockerized App Deployment with a Bash Script Ifeanyi Nworji Sat, 13 Dec 2025 06:06:16 +0000 https://dev.to/ifeanyi_nworji/automating-dockerized-app-deployment-with-a-bash-script-41im https://dev.to/ifeanyi_nworji/automating-dockerized-app-deployment-with-a-bash-script-41im <p>DevOps is all about automation, reliability, and efficiency. In Stage 1 of my DevOps internship, I built a robust Bash script to automate the deployment of a Dockerized application to a remote Linux server.</p> <p>Whether you’re a developer, system administrator, or DevOps enthusiast, this guide will walk you step by step through creating a production-ready deployment script that handles everything from cloning a repository to configuring Nginx as a reverse proxy.</p> <h2> Why Automate Deployment? </h2> <p>Manual deployment is error-prone, inconsistent, and time-consuming. Automation provides:</p> <ul> <li>Consistency: Ensures deployments are identical every time.</li> <li>Speed: Reduces human intervention and saves time.</li> <li>Reliability: Detects errors early and logs them for troubleshooting.</li> </ul> <p>By the end of this guide, you’ll have a single Bash script (deploy.sh) capable of fully deploying your Dockerized app to a remote server.</p> <p><strong>Step 1: Collect Parameters from User Input</strong><br> The first step is interactively collecting essential details:</p> <ul> <li>Git repository URL</li> <li>Personal Access Token (PAT)</li> <li>Branch name (defaults to main)</li> <li>SSH credentials (username, server IP, key path)</li> <li>Application port</li> </ul> <p>We also validate the inputs to prevent script failure later. Example snippet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Git Repository URL</span> <span class="k">while</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GIT_REPO_URL</span><span class="k">:-}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">do </span><span class="nb">read</span> <span class="nt">-rp</span> <span class="s2">"Enter the git repository URL: "</span> GIT_REPO_URL <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$GIT_REPO_URL</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> log_error <span class="s2">"Repository URL cannot be empty."</span> <span class="k">done</span> <span class="c"># Personal Access Token (PAT) - hidden input</span> <span class="k">while</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GIT_PAT</span><span class="k">:-}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">do </span><span class="nb">read</span> <span class="nt">-rsp</span> <span class="s2">"Enter your Git Personal Access Token (PAT): "</span> GIT_PAT <span class="nb">echo</span> <span class="s2">""</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$GIT_PAT</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> log_error <span class="s2">"Personal Access Token cannot be empty."</span> <span class="k">done</span> <span class="c"># Branch name (default = main)</span> <span class="nb">read</span> <span class="nt">-rp</span> <span class="s2">"Enter branch name [default: main]: "</span> GIT_BRANCH <span class="nv">GIT_BRANCH</span><span class="o">=</span><span class="k">${</span><span class="nv">GIT_BRANCH</span><span class="k">:-</span><span class="nv">main</span><span class="k">}</span> <span class="c">#SSH username</span> <span class="k">while</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SSH_USER</span><span class="k">:-}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">do </span><span class="nb">read</span> <span class="nt">-rp</span> <span class="s2">"Enter remote server SSH username: "</span> SSH_USER <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$SSH_USER</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> log_error <span class="s2">"SSH username cannot be empty."</span> <span class="k">done</span> <span class="c">#Server IP address</span> <span class="k">while</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SERVER_IP</span><span class="k">:-}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">do </span><span class="nb">read</span> <span class="nt">-rp</span> <span class="s2">"Enter remote server IP address: "</span> SERVER_IP <span class="k">if</span> <span class="o">[[</span> <span class="o">!</span> <span class="s2">"</span><span class="nv">$SERVER_IP</span><span class="s2">"</span> <span class="o">=</span>~ ^<span class="o">([</span>0-9]<span class="o">{</span>1,3<span class="o">}</span><span class="se">\.</span><span class="o">){</span>3<span class="o">}[</span>0-9]<span class="o">{</span>1,3<span class="o">}</span><span class="nv">$ </span><span class="o">]]</span><span class="p">;</span> <span class="k">then </span>log_error <span class="s2">"Invalid IP format. Please enter a valid IPV4 address."</span> <span class="nv">SERVER_IP</span><span class="o">=</span><span class="s2">""</span> <span class="k">fi done</span> <span class="c"># SSH key path</span> <span class="k">while</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SSH_KEY_PATH</span><span class="k">:-}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">do </span><span class="nb">read</span> <span class="nt">-rp</span> <span class="s2">"Enter path to SSH private key: "</span> SSH_KEY_PATH <span class="k">if</span> <span class="o">[[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>log_error <span class="s2">"SSH key file not found at </span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="nv">SSH_KEY_PATH</span><span class="o">=</span><span class="s2">""</span> <span class="k">fi done</span> <span class="c"># Application port (internal container port)</span> <span class="k">while</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">APP_PORT</span><span class="k">:-}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">do </span><span class="nb">read</span> <span class="nt">-rp</span> <span class="s2">"Enter internal application (container) port (e.g., 8080): "</span> APP_PORT <span class="k">if</span> <span class="o">!</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$APP_PORT</span><span class="s2">"</span> <span class="o">=</span>~ ^[0-9]+<span class="nv">$ </span><span class="o">]]</span><span class="p">;</span> <span class="k">then </span>log_error <span class="s2">"Invalid port. Please enter a numeric value."</span> <span class="nv">APP_PORT</span><span class="o">=</span><span class="s2">""</span> <span class="k">fi done</span> </code></pre> </div> <p><strong>Tip:</strong> Always validate user input using conditionals to ensure URLs are valid and files exist.</p> <p><strong>Step 2: Clone or Pull the Repository</strong><br> Next, we authenticate using the PAT and clone the repo, or pull the latest changes if it already exists:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">REPO_NAME</span><span class="o">=</span><span class="si">$(</span><span class="nb">basename</span> <span class="nt">-s</span> .git <span class="s2">"</span><span class="nv">$GIT_REPO_URL</span><span class="s2">"</span><span class="si">)</span> <span class="nv">WORK_DIR</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/deployment/</span><span class="nv">$REPO_NAME</span><span class="s2">"</span> <span class="c"># Create deployment directory if not exists</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="nv">$WORK_DIR</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="c"># Authenticated URL (PAT safely embedded)</span> <span class="nv">GIT_USERNAME</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$GIT_REPO_URL</span><span class="s2">"</span> | <span class="nb">awk</span> <span class="nt">-F</span><span class="o">[</span>/:] <span class="s1">'{print $(NF-1)}'</span><span class="si">)</span> <span class="nv">AUTH_REPO_URL</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$GIT_REPO_URL</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="s2">"s#https://#https://</span><span class="nv">$GIT_USERNAME</span><span class="s2">:</span><span class="nv">$GIT_PAT</span><span class="s2">@#"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$WORK_DIR</span><span class="s2">/.git"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>log_info <span class="s2">" Repository already exists. Pulling latest changes..."</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$WORK_DIR</span><span class="s2">"</span> git reset <span class="nt">--hard</span> git clean <span class="nt">-fd</span> git fetch origin <span class="s2">"</span><span class="nv">$GIT_BRANCH</span><span class="s2">"</span> git checkout <span class="s2">"</span><span class="nv">$GIT_BRANCH</span><span class="s2">"</span> git pull origin <span class="s2">"</span><span class="nv">$GIT_BRANCH</span><span class="s2">"</span> <span class="o">||</span> <span class="o">{</span> log_error <span class="s2">" Failed to pull latest changes from </span><span class="nv">$GIT_BRANCH</span><span class="s2">"</span> <span class="nb">exit</span> <span class="nv">$EXIT_UNKNOWN</span> <span class="o">}</span> <span class="k">else </span>log_info <span class="s2">" Cloning repository into </span><span class="nv">$WORK_DIR</span><span class="s2">..."</span> git clone <span class="nt">--branch</span> <span class="s2">"</span><span class="nv">$GIT_BRANCH</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$AUTH_REPO_URL</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$WORK_DIR</span><span class="s2">"</span> <span class="o">||</span> <span class="o">{</span> log_error <span class="s2">" Failed to clone repository. Please check your URL or PAT"</span> <span class="nb">exit</span> <span class="nv">$EXIT_UNKNOWN</span> <span class="o">}</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$WORK_DIR</span><span class="s2">"</span> <span class="k">fi </span>log_success <span class="s2">" Repository is ready at: </span><span class="nv">$WORK_DIR</span><span class="s2">"</span> </code></pre> </div> <p>This step ensures your local project folder is always up-to-date with the remote repo.</p> <p><strong>Step 3: Navigate into the Project Directory</strong><br> After cloning, we enter the project folder and validate the Docker setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check for Docker configuration files</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-f</span> <span class="s2">"Dockerfile"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>log_success <span class="s2">" Found Dockerfile - ready for Docker build."</span> <span class="k">elif</span> <span class="o">[[</span> <span class="nt">-f</span> <span class="s2">"compose.yaml"</span> <span class="o">||</span> <span class="nt">-f</span> <span class="s2">"compose.yml"</span> <span class="o">||</span> <span class="nt">-f</span> <span class="s2">"docker-compose.yaml"</span> <span class="o">||</span> <span class="nt">-f</span> <span class="s2">"docker-compose.yml"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span>log_success <span class="s2">" Found docker-compose.yml - ready for multi-service deployment"</span> <span class="k">else </span>log_error <span class="s2">" No Dockerfile or docker-compose.yml found. Cannot continue deployment."</span> <span class="nb">exit</span> <span class="nv">$EXIT_UNKNOWN</span> <span class="k">fi</span> </code></pre> </div> <p><strong>Step 4: SSH into the Remote Server</strong><br> Using SSH, we perform connectivity checks and prepare to execute remote commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Validate SSH key exists</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>log_error <span class="s2">"SSH key not found at: </span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="nb">exit</span> <span class="nv">$EXIT_SSH_FAIL</span> <span class="k">fi</span> <span class="c"># Test SSH connection (non-interactive)</span> ssh <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="nt">-o</span> <span class="nv">StrictHostKeyChecking</span><span class="o">=</span>no <span class="nt">-o</span> <span class="nv">BatchMode</span><span class="o">=</span><span class="nb">yes</span> <span class="s2">"</span><span class="nv">$SSH_USER</span><span class="s2">@</span><span class="nv">$SERVER_IP</span><span class="s2">"</span> <span class="s2">"echo 'SSH connection successful!'"</span> <span class="o">&gt;</span>/dev/null 2&gt;&amp;1 <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span>log_error <span class="s2">"Unable to connect to remote server via SSH. Please verify credentials, key permissions, and IP address."</span> <span class="nb">exit</span> <span class="nv">$EXIT_SSH_FAIL</span> <span class="k">else </span>log_success <span class="s2">"SSH connection verified successfully."</span> <span class="k">fi</span> </code></pre> </div> <p><strong>Step 5: Prepare the Remote Environment</strong><br> On the remote server, we need to ensure all dependencies exist:</p> <ol> <li>Update packages</li> <li>Install Docker, Docker Compose, and Nginx</li> <li>Add user to Docker group</li> <li>Enable and start services </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="nt">-o</span> <span class="nv">StrictHostKeyChecking</span><span class="o">=</span>no <span class="s2">"</span><span class="nv">$SSH_USER</span><span class="s2">@</span><span class="nv">$SERVER_IP</span><span class="s2">"</span> bash <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> set -e echo "Updating system packages..." sudo apt-get update -y &amp;&amp; sudo apt-get upgrade -y echo "Installing required packages (curl, ca-certificates, gnupg, lsb-release)..." sudo apt-get install -y ca-certificates curl gnupg lsb-release # --- Install Docker if not installed --- if ! command -v docker &amp;&gt;/dev/null; then echo "Docker not found. Installing Docker..." curl -fsSL https://get.docker.com | sudo bash else echo "Docker already installed." fi # --- Install Docker Compose if not installed --- if ! command -v docker-compose &amp;&gt;/dev/null; then echo "Installing Docker Compose..." sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-</span><span class="se">\$</span><span class="sh">(uname -s)-</span><span class="se">\$</span><span class="sh">(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose else echo "Docker Compose already installed." fi # --- Install nginx if not installed --- if ! command -v nginx &amp;&gt;/dev/null; then echo "Installing nginx..." sudo apt-get install -y nginx else echo "nginx already installed." fi # --- Add SSH user to docker group --- if ! groups </span><span class="nv">$SSH_USER</span><span class="sh"> | grep -q docker; then echo "Adding user '</span><span class="nv">$SSH_USER</span><span class="sh">' to docker group..." sudo usermod -aG docker </span><span class="nv">$SSH_USER</span><span class="sh"> echo "You may need to log out and back in for this to take effect." else echo "User '</span><span class="nv">$SSH_USER</span><span class="sh">' already in docker group." fi # --- Enable and start services --- sudo systemctl enable docker sudo systemctl start docker sudo systemctl enable nginx sudo systemctl start nginx # --- Confirm installation versions --- echo "Confirming versions..." docker --version docker-compose --version nginx -v echo "Remote environment setup complete." </span><span class="no">EOF </span></code></pre> </div> <p><strong>Best practice:</strong> Always confirm installation versions and service status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nt">--version</span> docker-compose <span class="nt">--version</span> nginx <span class="nt">-v</span> </code></pre> </div> <p><strong>Step 6: Deploy the Dockerized Application</strong><br> We transfer project files to the server and build/run Docker containers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rsync <span class="nt">-avz</span> <span class="nt">-e</span> <span class="s2">"ssh -i </span><span class="nv">$SSH_KEY_PATH</span><span class="s2"> -o StrictHostKeyChecking=no"</span> <span class="se">\</span> <span class="nt">--exclude</span> <span class="s1">'.git'</span> <span class="nt">--exclude</span> <span class="s1">'node_modules'</span> <span class="nt">--exclude</span> <span class="s1">'.env'</span> <span class="se">\</span> <span class="s2">"</span><span class="nv">$CLONE_DIR</span><span class="s2">/"</span> <span class="s2">"</span><span class="nv">$SSH_USER</span><span class="s2">@</span><span class="nv">$SERVER_IP</span><span class="s2">:</span><span class="nv">$REMOTE_APP_DIR</span><span class="s2">"</span> <span class="o">&gt;</span>/dev/null 2&gt;&amp;1 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="nt">-o</span> <span class="nv">StrictHostKeyChecking</span><span class="o">=</span>no <span class="s2">"</span><span class="nv">$SSH_USER</span><span class="s2">@</span><span class="nv">$SERVER_IP</span><span class="s2">"</span> bash <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> set -e cd </span><span class="nv">$REMOTE_APP_DIR</span><span class="sh"> # --- Detect Docker configuration --- if [[ -f "docker-compose.yml" ]]; then echo "docker-compose.yml found. Starting with Docker Compose..." sudo docker-compose pull sudo docker-compose build sudo docker-compose up -d elif [[ -f "Dockerfile" ]]; then echo "Dockerfile found. Building and running manually..." APP_NAME=</span><span class="se">\$</span><span class="sh">(basename </span><span class="se">\$</span><span class="sh">(pwd)) sudo docker build -t </span><span class="se">\$</span><span class="sh">APP_NAME . sudo docker run -d -p </span><span class="nv">$APP_PORT</span><span class="sh">:</span><span class="nv">$APP_PORT</span><span class="sh"> --name </span><span class="se">\$</span><span class="sh">APP_NAME </span><span class="se">\$</span><span class="sh">APP_NAME else echo "No Dockerfile or docker-compose.yml found in project directory." exit 1 fi # --- Step 3: Validate container health --- echo "Checking running containers..." sudo docker ps # --- Step 4: Verify app is accessible on the specified port --- echo "Validating application accessibility on port </span><span class="nv">$APP_PORT</span><span class="sh">..." sleep 5 if curl -s "http://localhost:</span><span class="nv">$APP_PORT</span><span class="sh">" &gt;/dev/null; then echo "Application is running and accessible on port </span><span class="nv">$APP_PORT</span><span class="sh">!" else echo "Application did not respond on port </span><span class="nv">$APP_PORT</span><span class="sh">. Check container logs." sudo docker logs </span><span class="se">\$</span><span class="sh">(sudo docker ps -q --latest) fi </span><span class="no">EOF </span></code></pre> </div> <p>This ensures the container is up, healthy, and accessible on the specified port.</p> <p><strong>Step 7: Configure Nginx as a Reverse Proxy</strong><br> Nginx forwards traffic from port 80 to your Docker container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DOMAIN_NAME</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">DOMAIN_NAME</span><span class="k">:-</span><span class="nv">example</span><span class="p">.com</span><span class="k">}</span><span class="s2">"</span> <span class="c"># Create a temporary nginx config locally with correct escaping for nginx $-vars</span> <span class="nv">TMP_NGINX_CONF</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">mktemp</span> /tmp/app_proxy.XXXXXX.conf<span class="si">)</span><span class="s2">"</span> <span class="nb">cat</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="nv">$TMP_NGINX_CONF</span><span class="s2">"</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> server { listen 80; server_name </span><span class="k">${</span><span class="nv">DOMAIN_NAME</span><span class="k">}</span><span class="sh">; location / { proxy_pass http://127.0.0.1:</span><span class="k">${</span><span class="nv">APP_PORT</span><span class="k">}</span><span class="sh">; proxy_http_version 1.1; proxy_set_header Upgrade </span><span class="se">\$</span><span class="sh">http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host </span><span class="se">\$</span><span class="sh">host; proxy_set_header X-Real-IP </span><span class="se">\$</span><span class="sh">remote_addr; proxy_set_header X-Forwarded-For </span><span class="se">\$</span><span class="sh">proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto </span><span class="se">\$</span><span class="sh">scheme; proxy_cache_bypass </span><span class="se">\$</span><span class="sh">http_upgrade; } access_log /var/log/nginx/app_access.log; error_log /var/log/nginx/app_error.log; } # SSL placeholder (Certbot or self-signed) # server { # listen 443 ssl; # server_name </span><span class="k">${</span><span class="nv">DOMAIN_NAME</span><span class="k">}</span><span class="sh">; # ssl_certificate /etc/ssl/certs/app.crt; # ssl_certificate_key /etc/ssl/private/app.key; # location / { # proxy_pass http://127.0.0.1:</span><span class="k">${</span><span class="nv">APP_PORT</span><span class="k">}</span><span class="sh">; # proxy_set_header Host </span><span class="se">\$</span><span class="sh">host; # } # } </span><span class="no">EOF </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">NGINX_CONFIG_PATH</span><span class="o">=</span><span class="s2">"/etc/nginx/sites-available/app_proxy"</span> <span class="nv">NGINX_ENABLED_PATH</span><span class="o">=</span><span class="s2">"/etc/nginx/sites-enabled/app_proxy"</span> <span class="c"># Copy config to remote /tmp then move with sudo to proper location to avoid permission issues</span> scp <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$TMP_NGINX_CONF</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$SSH_USER</span><span class="s2">@</span><span class="nv">$SERVER_IP</span><span class="s2">:/tmp/app_proxy.conf"</span> <span class="o">&gt;</span>/dev/null 2&gt;&amp;1 <span class="o">||</span> <span class="o">{</span> log_error <span class="s2">"Failed to upload nginx config to remote host."</span> <span class="nb">rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$TMP_NGINX_CONF</span><span class="s2">"</span> <span class="nb">exit</span> <span class="nv">$EXIT_NGINX_FAIL</span> <span class="o">}</span> <span class="nb">rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$TMP_NGINX_CONF</span><span class="s2">"</span> <span class="c"># Apply config remotely: install nginx if missing, remove default, move config, enable, test, reload</span> ssh <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$SSH_KEY_PATH</span><span class="s2">"</span> <span class="nt">-o</span> <span class="nv">StrictHostKeyChecking</span><span class="o">=</span>no <span class="s2">"</span><span class="nv">$SSH_USER</span><span class="s2">@</span><span class="nv">$SERVER_IP</span><span class="s2">"</span> bash <span class="nt">-s</span> <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">REMOTE_EOF</span><span class="sh">' set -e NGINX_CONFIG_PATH="/etc/nginx/sites-available/app_proxy" NGINX_ENABLED_PATH="/etc/nginx/sites-enabled/app_proxy" # Install nginx if missing if ! command -v nginx &amp;&gt;/dev/null; then echo "Installing nginx..." sudo apt-get update -y sudo apt-get install -y nginx fi # Remove default site if present if [ -f /etc/nginx/sites-enabled/default ]; then echo "Removing default nginx site..." sudo rm -f /etc/nginx/sites-enabled/default fi # Move uploaded config into place sudo mv /tmp/app_proxy.conf "</span><span class="nv">$NGINX_CONFIG_PATH</span><span class="sh">" sudo chown root:root "</span><span class="nv">$NGINX_CONFIG_PATH</span><span class="sh">" sudo chmod 644 "</span><span class="nv">$NGINX_CONFIG_PATH</span><span class="sh">" # Enable site (idempotent) sudo ln -sf "</span><span class="nv">$NGINX_CONFIG_PATH</span><span class="sh">" "</span><span class="nv">$NGINX_ENABLED_PATH</span><span class="sh">" # Test and reload if sudo nginx -t; then echo "nginx config OK - reloading" sudo systemctl reload nginx else echo "nginx config test FAILED" sudo nginx -t || true exit 1 fi echo "Nginx reverse proxy configured" </span><span class="no">REMOTE_EOF </span></code></pre> </div> <p><strong>Step 8: Validate Deployment</strong><br> Check that everything is running and accessible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> <span class="nv">$SSH_KEY</span> <span class="nv">$REMOTE_USER</span>@<span class="nv">$REMOTE_IP</span> <span class="s2">"docker ps"</span> curl http://<span class="nv">$REMOTE_IP</span> </code></pre> </div> <p>All services should respond correctly.</p> <p><strong>Step 9: Logging and Error Handling</strong><br> Logging is critical for troubleshooting. Our script:</p> <ul> <li>Saves logs to deploy_YYYYMMDD.log</li> <li>Uses trap to catch errors</li> <li>Exits with meaningful codes </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">LOG_FILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$LOG_DIR</span><span class="s2">/deploy_</span><span class="si">$(</span><span class="nb">date</span> +<span class="s1">'%Y%m%d_%H%M%S'</span><span class="si">)</span><span class="s2">.log"</span> <span class="c"># --- Logging functions ---</span> log_info<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[1;34m[INFO]</span><span class="se">\0</span><span class="s2">33[0m </span><span class="nv">$1</span><span class="s2">"</span> | <span class="nb">tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> log_success<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[1;32m[SUCCESS]</span><span class="se">\0</span><span class="s2">33[0m </span><span class="nv">$1</span><span class="s2">"</span> | <span class="nb">tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> log_warn<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[1;33m[WARN]</span><span class="se">\0</span><span class="s2">33[0m </span><span class="nv">$1</span><span class="s2">"</span> | <span class="nb">tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> log_error<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"</span><span class="se">\0</span><span class="s2">33[1;31m[ERROR]</span><span class="se">\0</span><span class="s2">33[0m </span><span class="nv">$1</span><span class="s2">"</span> | <span class="nb">tee</span> <span class="nt">-a</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> <span class="c"># --- Error trapping ---</span> <span class="nb">trap</span> <span class="s1">'handle_error $? $LINENO'</span> ERR handle_error<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">exit_code</span><span class="o">=</span><span class="nv">$1</span> <span class="nb">local </span><span class="nv">line_no</span><span class="o">=</span><span class="nv">$2</span> log_error <span class="s2">" Script failed at line </span><span class="nv">$line_no</span><span class="s2"> (exit code: </span><span class="nv">$exit_code</span><span class="s2">)"</span> log_error <span class="s2">" Deployment aborted. Check </span><span class="nv">$LOG_FILE</span><span class="s2"> for details."</span> <span class="nb">exit</span> <span class="s2">"</span><span class="nv">$exit_code</span><span class="s2">"</span> <span class="o">}</span> </code></pre> </div> <p><strong>Step 10: Idempotency and Cleanup</strong><br> The script is safe to rerun. Previous containers are stopped/removed before redeployment. Optional --cleanup removes all deployed resources.</p> <p><strong>Conclusion</strong></p> <p>By building this Automated Deployment Bash Script, I’ve learned how to:</p> <ul> <li>Interact with users in Bash scripts</li> <li>Automate Docker deployment</li> <li>Configure remote servers and Nginx</li> <li>Implement robust logging, error handling, and idempotency</li> </ul> <p>This project mirrors real-world DevOps workflows and is a great starting point for anyone looking to build production-grade deployment scripts.<br> <a href="https://github.com/KellsCodes/automated-deploy" rel="noopener noreferrer">Complete repo link</a></p> bash devops tutorial docker Building and Testing a Mini VPC with Python and Linux Namespaces Ifeanyi Nworji Wed, 12 Nov 2025 14:25:50 +0000 https://dev.to/ifeanyi_nworji/building-and-testing-a-mini-vpc-with-python-and-linux-namespaces-5cg9 https://dev.to/ifeanyi_nworji/building-and-testing-a-mini-vpc-with-python-and-linux-namespaces-5cg9 <p><strong>Overview</strong><br> In this project, I built a Mini Virtual Private Cloud (VPC) system on Linux using nothing but Python and native networking tools.<br> It mimics real AWS networking — with public/private subnets, NAT, VPC peering, and firewall policies — but all runs locally.</p> <p>This setup is perfect for DevOps learners and cloud enthusiasts who want to see how networks actually work behind the scenes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1z62xaiq1waizc8uvhui.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1z62xaiq1waizc8uvhui.png" alt=" " width="701" height="621"></a><br> fig.1 VPC network diagram</p> <ul> <li><p>Bridge (br0) → acts like your VPC switch</p></li> <li><p>Namespaces → represent isolated networks</p></li> <li><p>veth pairs → connect subnets to bridge</p></li> <li><p>iptables NAT → allows outbound access only from the public subnet</p></li> </ul> <p><strong>Step 1: Setup</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make setup </code></pre> </div> <p><strong>Step 2: Create the VPC</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>python3 vpcctl.py create-vpc vpc1 10.10.0.0/16 <span class="nt">--public-interface</span> wlp2s0 </code></pre> </div> <p>This creates a virtual private cloud (VPC) simulation with the name vpc1 and a designated IP address range, linked to your actual public network interface.<br> 10.10.0.0/16: This is the IP address range (specifically, a CIDR block) that the VPC will use for its internal network. The /16 denotes the specific size of the network, allowing for over 65,000 internal IP addresses within the VPC.</p> <p>--public-interface wlp2s0: This flag tells the script to connect the simulated VPC to your actual physical network interface named wlp2s0(your system can have a different interface, run this command to see yours: ip addr show or ifconfig). This allows the resources inside your simulated VPC to communicate with the outside world (e.g., the internet) via your computer's real connection.</p> <p><strong>Step 3: Add Subnets</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>python3 vpcctl.py add-subnet vpc1 public <span class="nt">--type</span> public <span class="nt">--base-cidr</span> 10.10.0.0/16 <span class="nb">sudo </span>python3 vpcctl.py add-subnet vpc1 private <span class="nt">--type</span> private <span class="nt">--base-cidr</span> 10.10.0.0/16 </code></pre> </div> <p>Creates:</p> <ul> <li><p>vpc1-public → 10.10.1.0/24 (Internet access)</p></li> <li><p>vpc1-private → 10.10.2.0/24 (Internal only)</p></li> </ul> <p><strong>Step 4: Deploy Demo Applications</strong><br> Run a web app in the public subnet<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc1-public python3 <span class="nt">-m</span> http.server 80 </code></pre> </div> <p>From your host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl 10.10.1.2:80 </code></pre> </div> <p>You should see the directory listing</p> <p>Run a web app in the private subnet<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc1-private python3 <span class="nt">-m</span> http.server 80 </code></pre> </div> <p>From host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl 10.10.2.2:80 </code></pre> </div> <p>You’ll get no response — because private subnets aren’t exposed externally.</p> <p><strong>Step 5: Validate Connectivity</strong><br> Communication within the same VPC<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc1-private ping <span class="nt">-c</span> 3 10.10.1.2 </code></pre> </div> <p>Works (internal VPC communication).</p> <p><strong>Internet access from public subnet</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc1-public ping <span class="nt">-c</span> 3 8.8.8.8 </code></pre> </div> <p>Works via NAT.</p> <p><strong>Internet access from private subnet</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc1-private ping <span class="nt">-c</span> 2 8.8.8.8 </code></pre> </div> <p>Blocked — no default route to internet.</p> <p><strong>Step 6: Test Multiple VPCs and Peering</strong><br> Create two VPCs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>python3 vpcctl.py create-vpc vpc2 10.20.0.0/16 <span class="nt">--public-interface</span> wlp2s0 <span class="nb">sudo </span>python3 vpcctl.py create-vpc vpc3 10.30.0.0/16 <span class="nt">--public-interface</span> wlp2s0 </code></pre> </div> <p>Add subnets to VPC2 and VPC3<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># PUBLIC SUBNET on vpc2</span> <span class="nb">sudo </span>python3 vpcctl.py add-subnet vpc2 public <span class="nt">--type</span> public <span class="nt">--base-cidr</span> 10.20.0.0/16 <span class="c"># PRIVATE SUBNET on vpc2</span> <span class="nb">sudo </span>python3 vpcctl.py add-subnet vpc2 private <span class="nt">--type</span> private <span class="nt">--base-cidr</span> 10.20.0.0/16 <span class="c"># PUBLIC SUBNET on vpc3</span> <span class="nb">sudo </span>python3 vpcctl.py add-subnet vpc3 public <span class="nt">--type</span> public <span class="nt">--base-cidr</span> 10.30.0.0/16 <span class="c"># PRIVATE SUBNET on vpc3</span> <span class="nb">sudo </span>python3 vpcctl.py add-subnet vpc3 private <span class="nt">--type</span> private <span class="nt">--base-cidr</span> 10.30.0.0/16 </code></pre> </div> <p>Check isolation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc1-public ping <span class="nt">-c</span> 2 10.20.1.2 </code></pre> </div> <p>Blocked — fully isolated by default.</p> <p>Peer them<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>python3 vpcctl.py peer-vpc vpc1 vpc2 </code></pre> </div> <p>Now ping again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc1-public ping <span class="nt">-c</span> 2 10.20.1.2 </code></pre> </div> <p>Works (controlled communication after peering).</p> <p><strong>Step 7: Apply Security Policies (Firewall)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>python3 vpcctl.py apply-policies vpc2 <span class="nt">--policies</span> policies.json </code></pre> </div> <p>Policies.json:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span> <span class="o">{</span> <span class="s2">"subnet"</span>: <span class="s2">"10.20.2.0/24"</span>, <span class="s2">"ingress"</span>: <span class="o">[</span> <span class="o">{</span><span class="s2">"port"</span>: 80, <span class="s2">"protocol"</span>: <span class="s2">"tcp"</span>, <span class="s2">"action"</span>: <span class="s2">"allow"</span><span class="o">}</span>, <span class="o">{</span><span class="s2">"port"</span>: 22, <span class="s2">"protocol"</span>: <span class="s2">"tcp"</span>, <span class="s2">"action"</span>: <span class="s2">"deny"</span><span class="o">}</span>, <span class="o">{</span><span class="s2">"port"</span>: 443, <span class="s2">"protocol"</span>: <span class="s2">"tcp"</span>, <span class="s2">"action"</span>: <span class="s2">"allow"</span><span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">]</span> </code></pre> </div> <p>would automatically block SSH access while keeping web traffic open.</p> <p>Test policies:</p> <p>Start a simple HTTP server on port 80 in the target namespace (vpc2)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc2-public python3 <span class="nt">-m</span> http.server 80 </code></pre> </div> <p>Test from the source namespace using nc:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>vpc2-private nc <span class="nt">-vz</span> 10.20.1.2 80 </code></pre> </div> <p><strong>Step 8: Cleanup</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make cleanup </code></pre> </div> <p>Or<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>./cleanup.sh </code></pre> </div> <p>Removes:</p> <ul> <li><p>All namespaces</p></li> <li><p>The bridge</p></li> <li><p>NAT/firewall rules</p></li> </ul> <p>Ensures no residual configuration remains.</p> <p>To run this with just one command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make all </code></pre> </div> <p>and clean up with<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make cleanup </code></pre> </div> <p><a href="https://github.com/KellsCodes/vpcctl-python.git" rel="noopener noreferrer">Github link</a></p> networking devops python linux