DEV Community

nithinalias
nithinalias

Posted on

AWS VPC

VPC Overview

Build a Custom VPC

Network and Content Delivery - VPC - Your VPCs - create VPC - add name,IPv4 CIDR block = 10.0.0.0/16,Enable Amazon provided IPV6 CIDR block,Tenancy = default - yes,create - Now automatically new Route Table,Network ACLs,Security Groups creates.

Go to Subnets - create Subnet - add name tag,select the VPC you created,select availability zone,IPv4 CIDR block = 10.0.1.0/24 -
yes create - Go to Subnets - create Subnet - add name tag,select the VPC you created,select another availability zone,IPv4 CIDR block = 10.0.2.0/24 - yes create

Go to Internet Gateway - create Internet Gateway - add name tag - yes create - Attach to VPC - yes attach

Go to Route Tables - select the Route table - Subnet Association - There will be no subnet association - Create Route Table - add name tag,select VPC - yes create - Routes(To enable internet) - Edit - Add another route - Destination(0.0.0.0/0),Target = select the internet gateway - save - Edit(To add ipv6) - Add another route - Destination(::/0),Target = select the internet gateway - save - subnet Association - Edit - select subnet(IPv4 CIDR block = 10.0.1.0/24) - save(10.0.1.0/24 = public network,10.0.2.0/24 = private network) - Go to subnets - select 10.0.1.0/24 subnet - subnet Actions - Modify auto-assign IP settings - Enable auto-assign public ipv4 address - save - Launch an EC2 Instance - configure Instance - Network(select the created VPC),select subnets(10.0.1.0/24) - Security Group(Add ssh,http,https rule) - Launch(Public Instance) - Launch another EC2 Instance - configure Instance - Network(select the created VPC),select subnets(10.0.2.0/24) - Launch(Private Instance)

Network and Security - Security Groups - create security Group - add name,select created VPC - Inbound(Add rule - SSH,MYSQL/AURORA,HTTP,HTTPS,ALL ICMP - Source = 10.0.1.0/24 for all rules) - create - Add this Security Group to created Private Instance - Action - Networking - Change Security Group - select and Assign Security Groups

Now login to Public Instance that we created - check Internet is available or not(Internet will be available) - Ping private Instance IP - you will get pinging output - Now copy the login-key of Private Instance to Public Instance - Then login to private Instance from Public Instance - Here Internet will not available

Network Address Translation(NAT)

EC2 - Launch an Instance - choose AMI - community AMIs - amazon-ami-vpc-nat-hvm-.... - select - Configure Instance - Network(select the created VPC),select subnets(10.0.1.0/24) - Security Group(Add ssh,http,https rule) - Launch - Select the NAT instance - choose Actions - Networking - Change source/destination check - choose Stop - save

VPC - Route tables - select main VPC Route table - Routes - Edit - Add another route - Destination(0.0.0.0/0),Target = select the NAT Instance gateway - save

Now log in private instance from public instance and check internet.Now you will get internet.Now Terminate the nat instance and then we loose internet connection.

VPC - NAT gateway - create Nat gateway - select subnet(Public subnet 10.0.1.0/24 ) - Create new EIP(Elastic ip) - create a NAT Gateway - Go to Route Table - select main VPC Route table - Routes - Remove old route - Add another route -Destination(0.0.0.0/0),Target = select the NAT gateway - save

Now log in private instance from public instance and check internet.Now you will get internet.

Access Control Lists (ACLs)

VPC - Network ACLs - create Network ACLs - add name,select the created VPC - yes,create

In created Public Instance do the below codes

yum update -y
yum install httpd -y
service httpd start
chkconfig httpd on
echo "<html><h1>Hello Cloud Gurus!</h1></html>" > /var/www/html/index.html
Enter fullscreen mode Exit fullscreen mode

Now we get the website in web-browser http://ipaddress of Public Instance

VPC - Network ACLs - select the newly created ACL - Inbound Rule - Edit - Add another rule - Rule = 100,Type = HTTP(80),source = 0.0.0.0/0 - Rule = 200,Type = HTTPS(443),source = 0.0.0.0/0 - Rule = 300,Type = SSH(22),source = 0.0.0.0/0 - save - Outbound Rule - Edit - Add another rule - Rule = 100,Type = HTTP(80),source = 0.0.0.0/0 - Rule = 200,Type = HTTPS(443),source = 0.0.0.0/0 - Rule = 300,Type = Custom TCP Rule,Port Range = 1024 - 65535,source = 0.0.0.0/0 - save - subnet Association - select public subnet(10.0.1.0/24) - save

Now if we add Inbound Rule - Edit - Add another rule - Rule = 101,Type = HTTP(80),source = myipaddress/subnet,Allow/Deny = Deny - Now we get the website in web-browser http://ipaddress of Public Instance

Now if we add Inbound Rule - Edit - Add another rule - Rule = 99,Type = HTTP(80),source = myipaddress/subnet,Allow/Deny = Deny - Now we donot get the website in web-browser http://ipaddress of Public Instance

Here Rule = 99 which comes first in Inbound Rule and that rule get preference first.

VPC End Points

IAM - Role - create role - EC2 - EC2 - Next - AmazonS3FullAccess - Next - Add role-name - create role - Add the role to Private Instance - Action - Instance settings - Attach/Replace IAM Role - select the role - Apply

VPC - Network ACLs - select newly created default Network ACL - subnet association - Edit - Select Public subnet (10.0.1.0/24) - save

Now login to private Instance from Public Instance

sudo su 
aws s3 ls
Enter fullscreen mode Exit fullscreen mode

Now you get S3 bucket list.

Go to VPC - Route Tables - select newly created main Route Table - Routes - Edit - Remove(0.0.0.0/0) - save

Now if you use the command shown below you cannot see S3 bucket list.

aws s3 ls
Enter fullscreen mode Exit fullscreen mode

Go to Endpoint - create Endpoint - select s3 gateway(com.amazonaws.us-east-1.s3) - select created VPC - select main private route table - create Endpoints

Now using "aws s3 ls" you get S3 bucket list.

Go to VPC - Route Tables - select newly created main Route Table - Routes - Now you can see VPC Endpoints(This is not behind NAT gateway this is VPC Endpoints)

Custom VPCs and Application Load Balancers

EC2 - Load Balancer - create Load Balancer - create Application Load Balancer - select the created VPC - Here you need atleast 2 Availabilty Zone of Public Instance

VPC Flow Logs

Go to VPC - Select the created VPC - Action - Create Flow Log - click on Set Up Permission link - view Policy Document - Allow - Go back select the role now created - create Flow Log - But this will show an error because we need to create Destination Log Group - Go to Cloudwatch - Logs - create Log group - add a name - create Log Group - Go to Flow Log - add log group - create flow log

NAT's Vs Bastions

VPC Clean Up

EC2 - Select Public and Private Instance - Actions - Instance state - Terminate - Yes Terminate

VPC - NAT Gateways - select nat gateway - Action - Delete NAT Gateway - EndPoints - select Endpoints - Action - Delete Enpoints - Internet Gateway - select Internet Gateway - Detach from VPC - yes,Delete - your VPC - select VPC - Action - Delete

Top comments (0)

Read next

lymah profile image

Week 4 Recap of #100DaysOfCode

Lymah -

davidjonson profile image

What is the Difference Between VPS and RDP Windows?

David Jonson -

francis04j profile image

What are the best logging and monitoring tools for .NET apps

Francis Adediran -

anil_csimplifyit_905c profile image

AI Testing: A Technical Deep Dive into the Future of Software Quality Assurance

Anil Pal -