DEV Community

Cover image for Day 49: Centralized Audit Logging with VPC Peering
Thu Kha Kyawe
Thu Kha Kyawe

Posted on

Day 49: Centralized Audit Logging with VPC Peering

#aws #100daysofcloudaws

Lab Information

The Nautilus DevOps team needs to build a secure and scalable log aggregation setup within their AWS environment. The goal is to gather log files from an internal EC2 instance running in a private VPC, transfer them securely to another EC2 instance in a public VPC, and then push those logs to a secure S3 bucket.

1) A VPC named devops-priv-vpc already exists with a private subnet named devops-priv-subnet, a route table named devops-priv-rt, and an EC2 instance named devops-priv-ec2 (using ubuntu image). This instance uses the SSH key pair devops-key.pem already available on the AWS client host at /root/.ssh/.

2) Your task is to:

Create a new VPC named devops-pub-vpc.
Create a subnet named devops-pub-subnet and a route table named devops-pub-rt under this public VPC.
Attach an internet gateway to devops-pub-vpc and configure the public route table to enable internet access.
Launch an EC2 instance named devops-pub-ec2 into the public subnet using the same key pair as the private instance.
Create an IAM role named devops-s3-role with PutObject permission to an S3 bucket and attach it to the public EC2 instance.
Create a new private S3 bucket named devops-s3-logs-14184.
Configure a VPC Peering named devops-vpc-peering between the private and public VPCs.
Modify both devops-priv-rt and devops-pub-rt to route each other's CIDR blocks through the peering connection.
On the private instance, configure a cron job to push the /var/log/boots.log file to the public instance (using scp or rsync).
On the public instance, configure a cron job to push that same file to the created S3 bucket.
The uploaded file must be stored in the S3 bucket under the path devops-priv-vpc/boot/boots.log.

Lab Solutions

πŸ”Ή Step 1: Create Public VPC

AWS Console β†’ VPC β†’ Create VPC

Name: devops-pub-vpc

CIDR: 10.20.0.0/16

Create.

πŸ”Ή Step 2: Create Public Subnet

VPC β†’ Subnets β†’ Create subnet

VPC: devops-pub-vpc

Name: devops-pub-subnet

CIDR: 10.20.1.0/24

AZ: any

After creation:

Enable Auto-assign public IPv4

πŸ”Ή Step 3: Internet Gateway

VPC β†’ Internet Gateways β†’ Create

Name: devops-pub-igw

Attach to devops-pub-vpc.

πŸ”Ή Step 4: Public Route Table

VPC β†’ Route Tables β†’ Create

Name: devops-pub-rt

VPC: devops-pub-vpc

Add route:

0.0.0.0/0 β†’ Internet Gateway

Associate with devops-pub-subnet.

PART 2: EC2 & S3
πŸ”Ή Step 5: Launch Public EC2

EC2 β†’ Launch Instance

Name: devops-pub-ec2

AMI: Ubuntu

Instance type: lab default

Key pair: devops-key.pem

VPC: devops-pub-vpc

Subnet: devops-pub-subnet

Public IP: Enabled

Create Security Group and allow SSH

Launch.

πŸ”Ή Step 6: Create S3 Bucket

S3 β†’ Create bucket

Bucket name: devops-s3-logs-14184

Block all public access: ON

Create.

πŸ”Ή Step 7: IAM Role for S3

IAM β†’ Roles β†’ Create role

Service or use case - EC2

AmazonS3FullAccess

Role name: devops-s3-role

Attach role to devops-pub-ec2.

PART 3: VPC PEERING
πŸ”Ή Step 8: Create VPC Peering

VPC β†’ Peering Connections β†’ Create

Name: devops-vpc-peering

Requester: devops-priv-vpc

Accepter: devops-pub-vpc

Accept the peering request.

πŸ”Ή Step 9: Update Route Tables
devops-priv-rt

Add route:

Destination: 10.20.0.0/16

Target: peering connection

devops-pub-rt

Add route:

Destination: CIDR of devops-priv-vpc

Target: peering connection

PART 4: SSH (CORRECT & SIMPLE)

πŸ”Ή Step 10: SSH Flow (Correct Design)

AWS client β†’ devops-pub-ec2 β†’ devops-priv-ec2

You never SSH directly to private EC2 from AWS client.

From AWS client β†’ Public EC2

cd .ssh
cp devops-key.pem id_rsa
ssh -i /root/.ssh/devops-key.pem ubuntu@<PUBLIC_EC2_PUBLIC_IP>
exit
ssh ubuntu@<PRIVATE_EC2_PRIVATE_IP> -J ubuntu@<PUBLIC_EC2_PUBLIC_IP>
Enter fullscreen mode Exit fullscreen mode

βœ… Works because:

Same key pair

authorized_keys already present

VPC peering routing exists

PART 5: LOG TRANSFER
πŸ”Ή Step 11: Cron on Private EC2 (Send Log)

On devops-priv-ec2:

ssh-keygen -t ed25519
cd .ssh/
cat id_ed25519.pub
Enter fullscreen mode Exit fullscreen mode

On devops-pub-ec2

vi .ssh/authorized_keys 
# Paste the public key from private EC2
cd ~
mkdir boot
Enter fullscreen mode Exit fullscreen mode

On devops-priv-ec2:

crontab -e
2
Add
* * * * * /usr/bin/scp /var/log/boots.log ubuntu@10.20.1.162:~/boot/boots.log
Enter fullscreen mode Exit fullscreen mode

πŸ”Ή Step 12: Cron on Public EC2 (Upload to S3)

On devops-pub-ec2:

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscliv2.zip
sudo apt install -y unzip
unzip awscliv2.zip
sudo ./aws/install
aws --version
crontab -e
2
Add:
* * * * * aws s3 cp ~/boot/boots.log s3://devops-s3-logs-14184/devops-priv-vpc/boot/boots.log
Enter fullscreen mode Exit fullscreen mode

πŸ”Ή Step 14: Final Validation

After 2–5 minutes, S3 should show:

devops-s3-logs-5789
└── devops-priv-vpc
└── boot
└── boots.log

Resources & Next Steps
πŸ“¦ Full Code Repository: KodeKloud Learning Labs
πŸ“– More Deep Dives: Whispering Cloud Insights - Read other technical articles
πŸ’¬ Join Discussion: DEV Community - Share your thoughts and questions
πŸ’Ό Let's Connect: LinkedIn - I'd love to connect with you
Credits
β€’ All labs are from: KodeKloud
β€’ I sincerely appreciate your provision of these valuable resources.

Top comments (0)