DEV Community: Sulagna Nandi

Point to Site Configuration in Azure

Sulagna Nandi — Tue, 09 Aug 2022 05:19:08 +0000

As per the official documentation of Microsoft Azure "A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer." Clearly justifying it's name Point to Site basically connects your Point which is an individual computer or system to the Azure Site Virtual Network. And this connection is a secured connection not via the Internet.

Point to Site configuration is very easy in Azure portal. Here are all the steps required.

Prior to that , we have some pre configured setup as follows:

Virtual Network in Azure:
For the Point, I have created a Virtual Machine in the Azure and have not given it a public IP (it will not be connected via Internet)

Now, let's continue the steps:
1. Add a Gateway Subnet to the Virtual Network :
Go to the Virtual Network Resource >> Add Gateway Subnet >> Provide a proper CIDR >> Save it

2. Create Virtual Network Gateway :
Search for Virtual Network Gateway from all resources and Add it on the Virtual Network with the Gateway Subnet

3. Create the Root and Child Certificates :
Here we need to create two Certificates needed for configuration. For this we have to follow the commands from here.
These commands are to run in the Windows Powershell which will generate two Certificates. To view the certificates open the Certificate Manager in your system. It will look as follows:

4. Export the certificates :
Firstly, to Export the Certificates you need to right click and find All Tasks >> Export

Now, for the Root Certificate Export with no Password but Choose Base64 Encoded

Second, in the same way you need to Export the Child Certificate but for Child you need to provide a Password since this will be shared with people.

Save both these certificates in your system.

5. Create a Point to Site connection in Virtual Network Gateway :

Create a Point to Site connection inside the Virtual Network Gateway >> Provide a Address pool >> Choose Tunnel Type according to need >> Choose Certificate for authentication >> Provide the Name of the root file >> Copy paste the contents of root certificate (open by notepad)

Save the Changes and after saving Download the VPN client. A zip file will be downloaded as shown below.

6. Extract the zip file and Install the client :
On extracting the file you will get files as shown:

Next, Double click on the Child certificate, provide the password and Install the certificate

Choose the file according to your system configuration and Install the VPN client. After successfully verifying with the child certificate, you will get options in your network and connectivity as such :

7. Final connection :
Let's see the magic here.
Try to connect your Virtual Server without connecting to the VPN client.
You will see you are unable to connect. This is obvious since you don't have a public IP and can't connect via private IP since you are not yet in the network of the Virtual Network in which your server lies.
Here is me trying to connect the server without connecting to the VPN.

Now, let's connect to the VPN. Once you have connected to the VPN , now if you SSH into the Virtual machine , you will be allowed since by connecting the VPN you have become a part of the Virtual Network.

That's all the steps for Point to Site connectivity.

Hosting a static website on Azure VM and mapping it with SSL configured domain name

Sulagna Nandi — Thu, 04 Aug 2022 05:27:00 +0000

Azure virtual servers can easily host static websites with minimal efforts. Here is a documentation where I have replicated a situation in which I have deployed a web server in the public subnet and hosted a static site and linked it's IP to a proper SSL configured domain name.

Here are the components needed:

Virtual Network - defining the public and private subnets
Virtual Machines - Web servers and Database servers(we don't need this to host the site)
Domain Name - Any free or paid Domain Name
Add DNS zones and Records
SSL configuration with Let'sEncrypt

In this documentation we assume you have a Virtual Network with public and private subnets. And, we have a web server and database server on public and private subnet respectively.
This is the VNET configuration:

This is the Virtual Machines configuration. Here I have used Ubuntu Virtual Machine.
Note:: Database server should have Private IP.(Although, it's not used here)

Now, SSH into the Virtual Machine.

Step 1- Install apache server.
Commands used :
Gain super user : sudo su then cd
Install apache : apt install apache2

Start and Enable apache :
systemctl start apache2 then systemctl enable apache2

Step 2- Add contents of the site.
Add the contents of the site from WinSCP. ( Download from here )
Download any static website files or any of your own.
Here I have used demo static site from Free CSS template
Connect and add the contents.
Follow the steps as given here

This is how the tab looks like:

Step 3- Add the files and folders to proper directory
Copy all the files and folders to the /var/www/html/ directory.
Use the command : cp -r /home/#your_user_name/* /var/www/html/

Now, on hitting the public IP you get the site.

Step 4- Now create a Domain Name
You can get a Domain Name from any Domain Registrar. Here I have got a free Domain Name from Freenom.com

Step 5- Now create DNS zone and update the NameServers
Search for the DNS zone service in Azure portal.
Next click on Add DNS zone.
Now, add your Domain Name and Create the DNS zone.
You will get some NameServers.
This is what it looks like.

Next, you need to copy these NameServers one by one and change the default NameServers of your Domain Name. For this go to Management Tools of your Domain Name.

After successfully changing the NameServers follow the next step.

Step 6- Now create DNS Records
Click on Add Record Set present on the top of the DNS zone.
Add a A record specifying the proper domain name and alias it to the public IP of the web server.

Now, if you hit the Domain Name you will get your site up and running.(This sometimes may take some time)

But, the main point to be noted here is the site says "Not Secure". No one wants their site to show up like this. A HTTP request site is not any client is will to have. Everyone prefers encryption and security and thus the demand of a HTTPS site.
The next step shows how you can get the HTTPS site.

Step 7- Get the SSL encryption by Let's Encrypt
A SSL certificate is what converts the HTTP site into a secured HTTPS one. There are various SSL certificate sites from where you can request one. Here I am using the Let's Encrypt site.

Since I am using a Ubuntu machine and as per the documentation here, I will be using CertBot for easily requesting a Certificate.
Choose your Software and System type for CertBot

Now follow the simple steps as per the CertBot.
You can refer in the picture below:

Now on hitting the Domain Name you find your Site as Secured.

Site to Site setup in Azure

Sulagna Nandi — Mon, 01 Aug 2022 04:58:42 +0000

Site to site is an amazing concept introduced in every cloud platform. Site to site , as the name suggests is a technique in which one site (on-cloud) is connected to a second site (on-premises).
There are many such situations when we will require to setup such a situation where our on-premises servers can communicate with cloud virtual machines or servers safely and securely.
The solution to such a setup is creating a Site to Site connection.

Below, I have shown all the steps you need to configure at the Azure side to set a Site-to-Site connection. After following the steps you will get a configuration file which will be handed to the network manager of the on-premises server and complete setup will be done.

Components required for this setup are:

Virtual network with a default defined subnet and a Gateway subnet.
Virtual network gateway
Local network gateway

Step- 1: Create a Virtual network with a default subnet
Specify the Virtual network IP address and create the Virtual network with a default subnet. I have created the Virtual network with IP as 10.0.0.0/16 and subnet with 10.0.1.0/24 . The final details will be shown as follows:

Step- 2: Add the Gateway Subnet to this Network
To add Gateway Subnet, Go to Subnets >> Click on the "+Gateway subnet" >> Now specify the address for it and click on Add.

Step- 3: Create a Local Network Gateway
Here, all the specifications of your on-premises server is added.
Since, this is just for tutorial purpose I don't have a on-premises server, I am using some random IP address. In real situation you have to specify the Static IP address of the on-premises server or the Fully Qualified Domain Name
The final configuration should look like this:

Step- 4: Create Virtual Network Gateway
Search for Virtual Network Gateway and select the Virtual network created. Select other options as required or leave to Default.
Final configurations for reference:

Step- 5: Create a Connection
Inside the Virtual Network gateway resource , Select Connections. Then Select Add connection.

Next specify the connection details and choose Site to Site in the connection type. Next you need to specify the Shared Access Key of your on-premises server. After successfully completing the steps you will find a configuration file. Download this and provide to the network engineers on the other side

That was all the steps for setting a Site to Site connection.

Setting up Docker Swarm in AWS

Sulagna Nandi — Wed, 25 May 2022 17:04:42 +0000

Docker and Docker Swarm

Docker is an open source containerization platform. Docker containers are lightweight software packages which includes all tools , libraries and dependencies needed to run applications.
Before the concepts of containerization and virtualization, there was often a gap between the application developer team and final production team. This was due to the difference in the system and dependencies of the environment in which the application was developed to the environment in which it is being tested. To bridge this gap concepts of virtualization and containerization was introduced which enabled developers to run their application in different operating systems sharing the same hardware and then provide the entire system including the dependencies to the production team.

Docker Swarm is a mechanism to handle multiple images running on same host Operating System. Images here refer to the templates that help to build containers. In Docker Swarm we have multiple nodes which are called as - Master and Worker Nodes. In each of these Nodes Docker daemon is initialized to interact with the Docker API. Docker Swarm supports Load balancing and Auto-Scaling features by the use of simple commands. All these are enabled by running services from the Master node.

In this documentation I have demonstrated all the steps required to setup a Docker Swarm environment. For higher availability I have deployed each of the Docker nodes into different VPCs.

Step 1 : Create your VPCs :

(a) We create three VPCs with the motive to deploy three instances in each of them [one Master Node and two Worker Nodes] with CIDR value as needed. We can also have more than one Master and Worker Nodes.

(b) Now, we need to create the Subnets for each VPCs

(c) Since the nodes need to communicate between them, now we create a Peering connection between the different VPCs. To set a Peering connection search for the service and Create the Peering connection between each of the VPCs.(if three VPCs : A,B,C then create connection between A-->B , B-->C , C-->A)

After creation we need to accept the Peering request. In order to accept the request, select the request and go to Actions and select Accept Request.

(d) Now, define the route tables. Create the route tables for each VPC and define them with proper routes and attach to the appropriate subnets. Also, create a Internet Gateway and add to the route table in order to have internet access in each VPC. Finally the route table for each VPC should have the routes defined as follows:

Step 2 : Create your EC2 instances :

Deploy the instances in each VPC. Here since I have taken three nodes- one Master node and two Worker nodes, I have Launched three instances. Select the appropriate type of the Instances. In the Security rules remember to add a Custom TCP rule with port 2377. Here is a sample of the Security rules put:

Note: The Security rules should be added with only the IPs that are allowed or needed. The above rules are just for the demo.
Now, Connect to each instance.

Step 3 : Configure Docker Master and Worker Nodes:

(a) First of all, configure Docker into each node by using the command yum install docker* -y.
(b) Now, start and enable the Docker into each node by using the command systemctl start docker followed by systemctl enable docker.
(c) Next, choose a node and assign it as Master Node where all the services will run. For this run the command docker swarm init. Now, a token will be shown . Copy this token and paste it in the other nodes. Now the other nodes will become the Worker nodes.

You can check the joining status of the nodes by using the command docker node ls in the Master Node.

(d) Create a Dockerfile that will download a sample website.
First of all to create the Dockerfile type vi Dockerfile. This Docker file will be created in every node.
This is a sample Docker file content:

Build the image by command docker image build -t appimg:1 .
You can check the image by using the command docker image ls.

Step 4 : Run the services and create the Containers:

(a) Now, you have to run the services from the Master Node. This can be done by using the command docker service create --name #name_of_the_service -p 80:80 #any_name_of_image:1

Check the service id using command docker service ls .Note this service ID.

(b) Next, create the containers using command: docker service scale #service_id = 4(you can give any number of container). The containers are randomly deployed on any one the Master or Worker nodes. Docker Swarm also provides the Load Balancing features thus providing maximum availability.

Finally, your docker swarm is configured and ready. To view the contents we can map our EC2 instances to Application Load Balancer and attach it to a Domain Name via Route53 and then hit the Domain name. To do so Refer here.

Auto-Scaling in AWS

Sulagna Nandi — Sat, 14 May 2022 18:23:36 +0000

Availability , Flexibility and Scalability are among the few very important features of cloud computing. Simply using a single instance for all the work creates load on the server causing it to fail and various other problems. Distributing the workload with automatic scaling up or down based on the workload is the perfect solution to all the issues. Cloud load balancing is defined as dividing workload and properties in the servers. Auto-Scaling is the technique in which automatically the number of servers can increase or decrease as per demand. This helps to provide a continuous uninterrupted service to the customers.
In Auto-Scaling, we mainly define three threshold values - Desired Capacity , Minimum Capacity and Maximum Capacity.

Desired Capacity refers to the desired number of servers which will start launching by an Auto Scaling Group.
Minimum Capacity refers to the minimum number of instances running at all times.
Maximum Capacity puts a restriction on the maximum number of servers that we can have. This helps to handle DOS attacks where unnecessarily demand increases on the instances which can lead to sudden increase in the number of instances which will lead to no profit.

Here, I have documented all the steps needed for enabling Auto Scaling on your instances.

Step 1 - Launch a EC2 instance.

Launch a EC2 instance specifying all the requirements and host any static site on it. (Refer here)

Step 2 - Create a Image of the instance.

Choose the EC2 instance >> Click on Actions >> Create Image. Then Create the image and provide a suitable name to the image.

Step 3 - Create a Load Balancer.

First of all to have a Load Balancer we need to create a Target Group. First Create the Target group with suitable name, but do not attach or register any target instances for now >> Create Target Group. Your final page should look like this :
Now select the Target Group created and in Edit attribute decrease the deregistration time to 20sec. (This step is just to faster the scaling down process and can be avoided)
Now, create a Application Load Balancer . Provide a suitable name. Select all the subnets for high availability. While selecting the Security group , create a new security group with preferably the inbound and outbound rules as given below (however you can set the rules as per your need for stronger security)

Now, select your Security group and the Target group created and create the Load Balancer.

Step 4 - Create a Launch Configuration.

Go to the Launch Configuration menu and Launch a configuration.
Give a suitable name >> Choose the Image that you had created >> Choose the instance type. Rest of the options can be left default. But, make sure you Enable the detailed monitoring by Cloud Watch.

Next, Add New Rule , to the Security rules, mentioning the inbound rules as below (however you can set the rules as per your need for stronger security)

Step 5 - Create a Auto Scaling group.

Create a Auto Scaling group with a suitable name. Now select the option of Launch Configuration and select the one just created.

Next choose your networking , preferably choose all the subnets for high availability.
Next attach to an Existing Load Balancer and choose the Target group we just created.

Now, choose the desired , minimum and maximum capacities of instances as your choice.
Finally, Create the Auto Scaling Group.

Step 6 - Create Cloud Watch Alarms.

Search for the Cloud Watch Alarm Service then click on Create Alarm.
In this step we have to create two Alarms - Scale-up and Scale-down.
The Alarms will monitor the Auto Scaling group based on the chosen metrics and thresholds.
For metrics, choose Auto Scaling group and then choose CPU utilization as the metric.

Next, give a name to the alarm and specify the threshold.
There will be two alarms - Scale up and Scale down. Scale up will be used to monitor when the CPU utilization is higher than a threshold that will require to increase the number of instances and Scale down will be used to monitor when the CPU utilization is lower than a threshold that will require to remove some number of instances.
Specify the details as given :

Step 7 - Create Dynamic Auto Scaling policies.

After both the Scale-up and Scale-down alarms are ready , we need to attach them to the Auto Scaling policies specifying how we want the Auto Scaling to act on getting the alarms.
For this, select the Auto Scaling Group, then choose the Automatic Scaling >> Create Dynamic policy.

In policy type choose Simple Scaling and select the alarm created just now, and specify the Actions.
For a Scale-up policy, choose the Scale-up alarm and as Actions select to increase the capacity.

Similarly, create another policy to Scale-down specifying the Actions ie., select to decrease the capacity.

And, your Auto Scaling Setup is ready.
Here are few ways you can check if your Policies are working correctly :
SSH into the Auto Scaling Group instance and increase the CPU utilization by using the command yes > dev/null &
On checking the Cloud alarms you can find the graph increasing. On checking the instances you can find there is addition of the new instances automatically.
To check the Scaling down, use the command <kill #process_id_here> and check the instances. After some time, instances will be shutting down.

Get your site a Domain Name and SSL certificate

Sulagna Nandi — Thu, 17 Feb 2022 17:00:26 +0000

Amazon EC2 Virtual Machines can help you to host a site. There are so many ways to host a site into EC2. Most common and easy ones were documented by me in this blog of mine, by end of which you will be able to view your website up and running in your browser by hitting it's public IP.

However, practically how many actual websites do we view by typing out their IPs? None, right?

The actual address of any website is a complex IP address, difficult to remember and interpret. Hence we have the Domain Name System (DNS) which maintains all the Domain Names and translates the Domain Names to the IP address of our site. This domain name is simple, interpretable and easily to remember name for our website.

Also, we saw that the IP address we were hitting on the browser was showing as Connection not Secure. This simply means the protocol by which our web pages were loading was HTTP protocol. HTTP or HyperText Transfer Protocol is the simple, but not secure protocol to load our pages. HTTPS is the HTTP + Secured type of HTTP protocol which encrypts our information and thus is more reliable and better way to loading and using the web pages. HTTPS uses the protocol called Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL).

So, in this blog ( is a continuation of my previous blog ) we map the IP address of our site to Domain Name and also make the Connection Secure (HTTPS).

Map the IP address to a Domain Name

Step 1 : Get a Domain Name
You need to purchase a Domain Name of your choice. You can get paid Domain Names from sites like GoDaddy or Hostinger or directly from AWS. It is recommended to use a paid Domain Name for professional use. However to practice you can use free Domain Names from sites like FreeNom. Here, I have used the Domain Name from FreeNom. You need to create an account and Register for a New Domain in Services. Then you can find your domain name in services and My Domains.
Step 2 : Route 53
AWS provides the service of Route 53 which is the scalable Domain Name System of the cloud. It helps you to map the IP address to the Domain Name. Below are the steps to do so:

1. Create a Hosted Zone in Route 53 :
Search for the service of Route 53 and select Create Hosted Zone from the Route 53 dashboard. Now, provide your Domain Name and Create the zone.

2. Update the Name Servers :
Once you create the Hosted Zone, you will be able to see the Records. Select the Record with Type NS. You will be able to see the Value of the Name Servers on the right.

Now, go to your Domain Registrar (FreeNom in my case) and select on Manage Domain. Now, select Management Tools and then Name Servers. Copy the Values of the Name Servers seen in your AWS Hosted zone and paste in the Values of Name Server in the Registrar.

3. Add Records :
Now, click on Create Records in the Route 53 records. You need to create another record (other than the default one) and add the Record name www to it. For both of the records provide the public IP Address of your EC2 as the Value. Now, Create the Records.

Now, on hitting your Domain Name in the browser you can find your website up and running.

But, as you can see the connection is showing Not Secure. Now, let's make this secured.

Make the connection secure

Step 1 : Request a SSL certificate

Making the connection secure basically means changing the HTTP protocol to HTTPS. For this we will need a SSL certificate.

Go to Certificate Manager in Services. Now, click on Request a Certificate. Then Select the default option of public certificate and click on Next.

Now, add the fully qualified Domain Name. Then click on Add another name and fill the Domain Name along with the wild card character "*." before your Domain Name. Then click on Request.

Next, select your certificate and select Create Records to Route 53 (under the Domain Names) and click on Create Records.

Now, wait for the Certificate to be issued.

Step 2 : Create a Load Balancer

Once the certificate is issued, in order to attach the certificate we will need to create a load balancer.
Select Load Balancer from the EC2 dashboard and click on Create Load Balancer. Select the Application Load Balancer and Create.
Give a name to your Load Balancer, Select Internet Facing and IPv4. Under Network routing choose default VPC(or any existing VPC of your EC2) and select all the subnets.

Now, create a new Security Group with HTTP and HTTPS - Anywhere as inbound rules.

Now, in Listener Create a new target group. Give a name to your target group leave all the default options and click on next. Now choose your instances and click on include below as pending and create the target group.

Now, back in load balancer select the newly created target group for listener HTTP. Now, click on Add Listener and Create a HTTPS listener with the same newly created target group.
Under the Secure Listener Settings select your SSL certificate in the drop down.

Finally create the Load Balancer and wait for it to become Active.

Once the Load Balancer is Active you need to modify the HTTP listener of your Load Balancer (this enables anyone hitting your website to be redirected to HTTPS).

Select your Load Balancer and choose the option of Listeners and select the HTTP Listener. Now click on View/edit rules of the HTTP.

Now, add Rule and select Host Header in IF and Redirect to in THEN.

Add the values of your Domain Names as the one you had created in the Records of Hosted Zone as Host Header. Select HTTPS with port 443 in Redirect to. Then click on Save.

Step 3 : Update the Records of Route 53

Select the Records of type A that you had created (inside the Hosted Zone Records) one by one and click on Edit Record. Follow the steps as given below one by one.

Click on Edit Record and in the Value, select the Alias. Then choose Application and Classic Load Balancer as Endpoint. Next choose your region and finally select the created Load Balancer. Then Save the changes.

Repeat the steps for both of the Type A Records.

Finally on hitting the Domain Name you will find your site Secured!

That's all in this blog. Hope this helps you!

Host a site into EC2

Sulagna Nandi — Mon, 07 Feb 2022 13:18:12 +0000

With increase in business and startups, setting up large physical servers was becoming very hectic for owners. Using large number of physical servers and implementing various computing techniques to manage them, people were in need of something more flexible and budget friendly. And finally, in around 2006-2008 Amazon Web Services launched the era of Cloud Computing with it's first virtual servers or machines Amazon Elastic Compute Cloud or EC2 instances. Since then EC2 has helped perform so many operations and provided uncountable solutions.

In this blog, I have tried to show three of the simple techniques to host a very basic website into your EC2 instance.
For a very simple basic website we have files of CSS,JS,HTML and many more. Here I have chosen a sample website contents from here.

Summary of Steps:

Step 1 : Launch an EC2 instance
Step 2 : Install Apache Server
Step 3 : Add the files of website(three ways):
- Directly from your Device
- From S3 bucket
- From GitHub repository

Step 1 : Choose an EC2 instance , Launch the instance and then SSH into the instance.

I have chosen here the Amazon Linux. You can choose any one of your choice. You can find the steps to setup your EC2 instance in this amazing tutorial by one of my friend here. Only while selecting the Security Group here's what different you have to do:

For type SSH change Source to MyIP (This will allow only your IP to SSH into your EC2).
Now, add rule and select HTTP and for Source select Anywhere.
Again add rule HTTPS and for Source select Anywhere.

These are the simplest rules for a beginner, incase you want to have custom and enhanced security, you can always add the allowed custom IPs only

Step 2 : Install the Apache Server into EC2

To host a website into EC2, you will need to install Apache Server into EC2. Here are the Linux commands to install Apache Server into your EC2.

1. Login as root user:
Initially when you connect to EC2, you will be logined as ec2-user. Change it to root user. Use these linux commands:
sudo su ,then cd

2. Install Apache Server:
Now, install Apache Server with the command:
yum install httpd

While installing you will get a confirmation message , just type yes for it. After successfully installation you will get a Complete message.

3. Start and Enable Apache:
After installing apache, you have to start the Apache. Here is the command to do so.
systemctl start httpd

Now, you need to enable the Apache server to avoid stopping the server when you stop and restart your EC2 instance. Here is the command to do so.
systemctl enable httpd

After all these setup done , now we just need to add our files into EC2. Here are the three simple ways to do so:

Step 3 : Add your website files into EC2

Way 1 >>> By adding the files directly from your device:

You can directly copy paste your files from your device into EC2 instance. For this you need to have an application called WinSCP . Here is the download link for the same.
Now follow the following steps:(Refer the picture below)

In the Host Name fill the public IPv4 DNS of your EC2 instance.
For the User Name enter ec2-user
Now, click on Advanced

Now, select the Authentication option in the left side menu and browse your key file (created while launching the EC2 instance). If your key file is of .pem extension , change the search filter to all files, select the .pem file and it will ask you to convert into a .ppk file. Allow for the same and select the .ppk file.
Now click on OK.
Now, click on Login , and you will be connected to your EC2 as ec2-user in the right side window.
Now, browse the location where your files are present on the window on the left side.
Now, create a new directory into ec2-user and drag and drop all your files from the left window to the right into the new directory.
Go back to your Xshell and check if the file is present by the command ls /home/ec2-user/<your-directory>
Now, you have to copy the file into another directory which is the html directory.
You can copy the entire contents of your directory into html directory by command :
rsync –a /home/ec2-user/<your-directory-name>/. /var/www/html/

Now copy paste the public IP of the EC2 and hit into the browser and you will be able to see your website.

Way 2 >>> By copying the files from your S3 bucket:

First you need to create a S3 bucket and upload your files. Here is a tutorial by one of my friend on how to create and upload files into S3 bucket.
Now, to access your S3 bucket and contents into EC2 instance you must create an IAM role with S3 full access and attach it to your EC2 instance. Learn how to create IAM roles here.

List out the S3 buckets name using command aws s3 ls
List out the contents of S3 bucket using command aws s3 ls s3://<your-bucket-name>
Go to the html directory using command cd /var/www/html/
Now copy the contents to html directory using command aws s3 sync s3://<your-bucket-name>/ . (dot represents current directory)

7.Now copy paste the public IP of the EC2 and hit into the browser and you will be able to see your website.

Way 3 >>> By copying the files from your Github Repo:

First create a GitHub Repository and upload the files in that repository. Here is a tutorial on the same.

Now to access GitHub from your EC2 install git. To do so use the command yum install git -y in your XShell. Accept any confirmation asked.
Go to the html directory using command cd /var/www/html/
Now download all the files of your GitHub repo into the directory using command git clone git://github.com/<your-account-name>/<your-repo-name> . (dot represents current directory)
Now copy paste the public IP of the EC2 and hit into the browser and you will be able to see your website.

This is how you can view your website:

That's all in this blog. Hope so this has helped you!

Secure your AWS account

Sulagna Nandi — Wed, 02 Feb 2022 07:15:30 +0000

Amazon Web Services provide us amazing solutions which is now widely used by all small and large industries , helping them manage and easily access their resources with flexible costing. AWS provides "Easy to use" , "Flexible" , "Cost effective" , "Reliable" , "Scalable and High Performance" and "Secure" solutions when it comes to virtualizing your resources.
The official documentation of AWS security speaks "The AWS Cloud enables a shared responsibility model. While AWS manages security of the cloud, you are responsible for security in the cloud."

Most of the AWS guides will give a detailed description about all services of AWS and benefits of it. What people rarely speak about is how can we secure our AWS account? Here, I have tried to document some simple yet very important techniques to secure your AWS account. Let's begin.

1.Root user vs IAM user

Creating IAM admin
Creating IAM users
Creating IAM user groups
Creating IAM roles

2.Hardening account

Set a password
Set a MFA

Root user vs IAM user

First of all on logging into your account you will find the two ways to login ~ 1. Root user and 2. IAM user. Usually when you create your account for the first time , we always login through the root user. But most of the times, you will be recommended by people to use the IAM user to login. What exactly is the difference between them?

1. Root user - Root user is the main account user who has access to all the resources in the AWS account. When we first create our AWS account we have a Root user only. We can't restrict access of the resources of a Root user by adding any IAM roles or policies (discussed below). Since, limiting permissions of a root user is difficult (only done by Service Control Policies of AWS), using root user as the only account for AWS services becomes vulnerable to "brute force attacks"(These attacks are done by excessive forceful attempts to try and decode your root password by hackers leading them into your root account and taking advantage of root user privileges).Therefore it is always encouraged to define IAM user with Administrative Access and use it to access all AWS services instead of using Root account.

2. IAM user - IAM stands for Identity and AWS Management. The main goal of IAM is to provide Right access to Right people. Among all services of IAM , one of the service is of IAM users. IAM users are defined by the Root User or by IAM administrator. An IAM administrator is the IAM user created by Root user which has the access to all the services of AWS account, except some specific tasks of Root user like ~

Closing the account
Changing the account settings
Changing support plan
Adding IAM users to billing section and others( Refer this AWS official page )

Logging into the account using as IAM administrator is always recommended. Here is how you can create an IAM administrator.

Creating your first IAM administrator :

Login as Root user by giving your credentials >> Select IAM services >> Under IAM options choose Users >> Now click on Add users

Now give a name to your user and add the access (refer the picture below) >> Click on Next Permission >> Select Attach an existing policy >> Select AdministratorAccess >> Click on Next and finally click create a user(adding tags is optional) >> Finally on successfully creating the user download the csv file.

Now, let's try to login as admin via the console.
Select IAM user to login >> Provide your Account ID(present in the csv file just downloaded or you can find it at top right corner of your root account) >> Now provide the name and password >> Now you have to set a new password >> And, you are logged in as the Admin.

Creating IAM users as an admin :

As an admin, suppose you have employees joining your company and you have to provide different employees with different resources of AWS. Some only need to use EC2 instances, whereas some only work with EBS. To provide controlled access to your AWS account, you need to create different IAM users and attach only required Policies and share this IAM details with your employees. Creation of users is in the same way as shown above. There are varieties of Existing Policies which you can add based on the access to resources you want to provide. Also, you can create your own policy by clicking on Create new policy in the Set permission page. Your new policy can be in a JSON file.

Creating IAM user groups :

Suppose you have large number of employees in your company. You have to provide each of your employee a controlled access to only use EC2 instances. You start providing each of your employee same access and attach them to the same policies. But why do such a long process when all you need to attach them is to the same policy. Instead of attaching policies to employees one by one, create a User Group. A User group helps to have common policies and you can just add your employees to the group. When any employee leaves, just detach them from the group instead of finding which user to delete.

Here is how you can create a User group:
Find the option of User Groups under IAM services >> Click on Create Group >> Give a name to your group >> Add if any existing user (this is optional) >> Now attach some Policies (this is also optional) >> Now click, Create group.
Now onwards while creating an user instead of attaching individual policies , directly attach them to a User group.

IAM roles :

Another very interesting service of IAM is the IAM roles. Main use of IAM roles in security for the AWS services is to build a safe pipeline between AWS resources:

Create a direct pipeline between EC2 instances and AWS services : Suppose your company requires you to set a connection between EC2 instance and S3 bucket. So, you start by creating a IAM user and attach it with the Existing Policy of AWS S3 Full Access. Now you share the credentials with access key and secret key, and the next day you find one of your employee has accessed your S3 bucket using the credentials via his own laptop!! So, sharing the credentials is not a very secured option to access AWS services like S3 bucket which has important data. In such a case IAM roles come into picture. IAM roles help to create a direct pipeline between both the services without the need to share the credentials and thus a person cannot access the S3 service from his own laptop. This a safer and good approach.
Here is how you can create an IAM role:

Select IAM role under the IAM services >> Now Create a role >> Select Entity as AWS services and choose EC2 >> Now attach S3 full access policy >> Provide a name >> Create role

Now, select your EC2 instance >> Go to Actions >> Security >> Modify IAM role >> Attach the IAM role created

Finally you can access your S3 bucket without any access ID or secret key.
Connect to the EC2 via SSH command providing the Key file >> Directly list out the S3 contents (Syntax - aws s3 ls) >> List out the contents inside S3 (Syntax aws s3 ls s3://s3_bucket_name)

Harden your account

We have learnt how to create an IAM admin account and IAM users with controlled access. Now, we can login as the IAM user and use the AWS resources specific to our needs. However, we still need to protect our account from any kind of security breach. Here are few ways suggested by AWS in which you can Harden your account as a Root user, IAM Admin or IAM User:
(All of the steps below can be implemented by going to IAM Dashboard >> Add MFA)

Creating a strong password :

AWS always encourages to create a strong password. You can click here to generate a Strong password
After creating a strong password, click on the password option and then click on the link given to change the password to a Strong password.

Add a Multi Factor Authentication :

There are three ways provided for Multi Factor Authentication (MFA) by AWS.

1.MFA virtual device : For adding a Virtual MFA device we will need a authenticator application. The most common one is the "Google authenticator".
Select Virtual MFA >> Click on Show the QR code >> The app will have an option to scan the QR code >> Now a code will be shown >> Write it to the code 1 on your console >> After few seconds next code will be shown >> Assign MFA.
From the next time you login , apart from the password the MFA codes will be asked which will be shown in your app.

----Always remember to take a Screen shot of your QR code , incase your app or phone gets damaged this will help----

2.U2F security key :

This is an U2F security key. It is a kind of USB device. You can add it as an authentication device and while logging in to your account, apart from entering the password, you will need to plug this in.

2.Gemalto token :

Gemalto token is the hardware authenticator in which the codes are shown in the Gemalto token screen. While logging into the account we need to provide these codes.