Overview
Today, I'm building a basic VPC configuration to get hands-on experience with the following services.
VPC / Subnet / IGW / CloudWatch Logs
※Please be mindful of the region! It's better to use one region through hands-on series to prevent unpredictable charges.
Hands-on
1. Build VPC
To understand the steps deeply, create VPC only.
Enable DNS Resolution and DNS hostname on.
2. Create subnets.
Make 4 subnets (public and private subnet, 2AZ).
Similarly, create public subnet in AZb (10.0.1.0/24), private subnet in AZa (10.0.10.0/24), private subnet in AZb (10.0.11.0/24).
Choose public subnets → Edit settings → Enable "Auto-assign public IPv4 address"
It makes DAY2 hands-on easier.
3. Build Internet Gateway (IGW)
Create IGW and attach it to VPC which you've made in Step1.
4. Create two Route tables.
1. Public route table
Create route table → Edit Routes → Add route (Destination:0.0.0.0/0 Target IGW) → associate 2 public subnets
2. Private route table
Create route table → associate 2 private subnets
※NAT gateway is required for private subnet to connect with Internet, but this time I will build S3 endpoint.
5. Build S3 Gateway Endpoint
There are two types of VPC endpoints, but this time I'm using Gateway endpoint as it's afordable.
Gateway endpoint: for S3 and DynamoDB only. Connect via the AWS internal network.
Interface endpoint: For many services. Connect via the ENI.
Choose S3(Gateway), VPC made in Step1, Private route table made in Step4, and full access (I will adjust permissions later).
6. Configure VPC Flow Logs
1. Create Log group. (make retention 1 to 3 days to prevent small charges)
2. Create IAM Role for Flow logs.
1. Create IAM Policy
Use following policy to permit VPC flow log to send logs to cloudwatch.
"policy-for-flowlog.json"
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
}
]
}
2. Create Role
Use following policy as custom trust policy → attach the policy in the previous step.
"policy-for-flowlog.json"
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
3. Create Flow log
VPC → Actions → Create flow log
set Filter All and choose Log group and IAM role created in previous steps.
That's all for Day1 hands-on!
I built VPC settings for tomorrow.
Tomorrow, I'm building EC2 instances in VPC.
For test
Key point for the test which are associated with services used today's hands-on!
Important services
Internet Gateway:
The Amazon VPC side of a connection to the public Internet.
NAT Gateway:
Managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.
Hardware VPN Connection:
A hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.
Virtual Private Gateway:
The Amazon VPC side of a VPN connection.
Customer Gateway:
Your side of a VPN connection.
Peering Connection:
A peering connection enables you to route traffic via private IP addresses between two peered VPCs.
VPC Endpoints:
Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
Egress-only Internet Gateway:
A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.
See you soon in Day2 hands-on!
Top comments (0)