In this article, I'll walk through how I set up an AWS VPC with a public and private subnet, deployed two EC2 instances, and configured Nginx as a reverse proxy. This is part of my hands-on cloud learning journey. If you're just getting started with AWS networking, this is for you.
Prerequisites
- You need to have an AWS account to be able to create the infrastructure
- A basic understanding of networking
VPC Deployment
A Virtual Private Cloud provides a logical, isolated virtual network that you define, where you can launch resources that you want. It closely resembles a traditional network you set up or operate in your own data center.
Setting up VPC
- Logged in to my AWS and navigated to the VPC section to create a VPC
- To create the VPC, I chose VPC only, gave a dummy name, and specified the IPV4 CIDR as 10.0.0.0/16. Click Create to create the VPC
IPV4 CIDR is the address range to be used by the VPC and should be private. I chose 10.0.0.0/16, with /16 as the netmask.
To be able to access the resources in the VPC, you need a subnet placed in an HA zone
Setting up a Subnet
A subnet is a smaller network within a larger network. I created two subnets, a public and a private.
- Click Subnets on the VPC window to create a subnet
- To create subnets for the VPC, I selected the VPC I just made (vpc-spec-01)
- Gave it a name (public), chose us-east-1a as the availability zone
- 10.0.1.0/24 as the IPV4 CIDR to give me 256 IPs to use
for the private subnet
- I used a different availability zone, us-east-1b
- to spice things up, I used 10.0.2.0/24 as the IPV4 CIDR.
After creating the subnets, I created an EC2 instance in the public subnet so that I could SSH into it.
To create the EC2 instance.
- I navigated to the EC2 service window
- I clicked on Create and gave the instance a name.
- For the Application and OS images, I chose Ubuntu and a free-tier eligible AMI
Instance type is also free-tier eligible. created a key pair to securely SSH into the instance
In the network settings section, here is where you configure the VPC, subnets, and ports to access the instance.
. Choose the VPC made earlier.
. Select the public subnet in the VPC and select Enable on Auto-assign IP.
. Select Create security groups
. for the inbound security rules, SSH and HTTP to listen on port 80(nginx)
. Launch the EC2
Now, to SSH into the EC2, locate where the key is saved, and git bash there
Run these commands to connect
chmod 400 "key.pem"
ssh -i "key55.pem" ubuntu@instanceIP
Ja, we can't connect to the EC2 because the VPC does not allow any connection from outside. We need to add an internet gateway to achieve this.
steps involve
- Create an internet gateway
- Attach the internet gateway to the VPC.
- Create a route table for the gateway
- attach the route table to the public subnet After creating the route table, you need to edit the route to attach the internet gateway created
Move to the public subnet, select the route table, edit the route table association, and select the route table created
Now SSH back into the instance and run the following:
sudo apt update
sudo apt install nginx # to install nginx
Before the creation of the private EC2, I copied the key into the public EC2 for secure SSH
scp -i key.pem key.pem ec2-user@<public-ec2-ip>:~/.ssh/
Setting up the Private EC2
Just like building the public EC2, I maintained everything except the following:
- Disabled auto-assign public ip
- Selected the private subnet
- Added Custom TCP on port 8080 to the inbound security rules
The private EC2 is only accessible in the public EC2. To access the private EC2, SSH into the public, change directory to .ssh, and SSH from there.
Once in the private EC2, I updated the OS and opened Vim to make a simple HTML page to serve up from the public EC2.
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<h1>ich bin poloand</h1>
</body>
</html>
I served up this HTML file with Python, which ran in the background.
nohup python3 -m http.server 8080 &exit from the private EC2 to the public.
Once in the public EC2, I changed the nginx config file to serve up the python server from the private EC2
sudo vim /etc/nginx/nginx.conf # move the conf to make changes
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name _;
location / {
proxy_pass http://privateIP:8080;
}
}
}
sudo nginx -T # for conf linting
sudo systemctl restart nginx #to restart the service.
Now open the browser to see the HTML page served up
Mistakes I encountered
- HTML file was not executable
- Security group blocking port 8080
- No key pair that resulted in a failed SSH into the private EC2.
- Missing semicolons in nginx.conf
Conclusion
This project has taught me more about VPCs, subnets, IPv4s, compute, etc. Some of the lessons i got from this project are
- Security groups are everything about security
- Always create a key pair
- Always ls -l to see permissions on a file.
- Read config carefully
Next up more projects on VPC
Top comments (0)