Create a Secure AWS VPC Architecture
Amazon Virtual Private Cloud (VPC) is a logical data center or virtual data center in Cloud. Its provide an isolated section to host your machine.VPC is a collection of the region, Internet Gateway(IG), Route table, ACL, Security group, Subnet, Instances.VPC provides us a completely separate environment where we can place our machine in our own way. only one internet gateway per VPC.
Let’s take a quick view of complete VPC architecture.
As you can see VPC is a collection of the internet gateway, Router, Network ACL, EC2, Subnet, route table, etc. Let's have a quick look at the individual.
Region: Amazon EC2 is hosted in multiple locations worldwide. These locations are composed of Regions and Availability Zones. Each Region is a separate geographic area. Each Region has multiple, isolated locations known as Availability Zones. Amazon EC2 provides you the ability to place resources, such as instances, and data in multiple locations.
Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
Route tables contain a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
Network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. One subnet can only connect with a single ACL but a single ACL can have multiple subnets.
Subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting.AWS provides two types of subnetting one is Public which allow the internet to access the machine and another is private which is hidden from the internet.
Instance is a virtual server in the AWS cloud. With Amazon EC2, you can set up and configure the operating system and applications that run on your instance.
Now its time to play with VPC
Step-1: Create your custom VPC.
Log in to the AWS console using the credentials. Search for the VPC in the services section. Go to the Your VPC and you will get a create VPC. The IPV4 CIDR block is the range of your number of IPs that you are going to assign.IPV4 is 32 bit and divided into two portions one is a network and another is a host. the 16 denotes- assigning 16 bit to network address and 16 to the host address. The tenancy is the default means sharing the hardware with other AWS customers
Once you create a VPC, we get some default creation under our VPC header. So your VPC looks likes :
1. Route table
2. Network ACL
3. Security Groups
Step-2: Now its time to create a subnet
Go to the subnet and create a subnet. This we will be using as a public subnet. Select your VPC and add the IPV4(10.0.1.0/24). Doing the same way create another subnet and that will be your private subnet. Private subnet IPV4 will be 10.0.2.0/24. You can check all your List of a subnet in your subnet section as below.
Now we have two subnets and we need to make one of them should be publically accessible.so to make it public select the subnet and go to the Action on the top and click Modify auto-assign IP settings. please refer the below screen.
Till now your VPC looks like.
Step-3: Next, we will be attaching the Internet gateway(IG). Go to the internet gateway and press the create button. after creating the internet gateway it will be in detached state, so go to the action and attach you VPC to the IG.
Note- Only one internet gateway can assign to a VPC.you can not assign multiple IG to the single VPC.Do not worry about the connection.AWS will take care the connectivity and it is highly available.
Let’s got the subnet section again and do some security tweaks. Whenever you create a subnet it is default public and assigns to the default route table, so make your default route table as private and create a new route table that will be public. Now you have a table with subnet and its time to assign the table to IG.
Go to the edit route table option and do the below entries.
At this point, you have configured the subnet with the Internet.
Step-5: Now it’s time to place you EC2 machines in the subnet.
Launch the EC2 instance and select your created VPC and the subnet. First one is the public subnet.
Get the second instance launched and assign private subnet. For this use, the default security groups do not use the public security group that you have assigned to the public subnet.
By using the key you can log in to the public EC2 machine.
Now you have the complete structure of your Created VPC
Step-6:
So now the question becomes how do we gonna access the private machine because we do not have the public IP for that, but it does have the private IP. You will be thinking that we can access this through my public machine but if you remember we have the default security group and default security group never allow the machine access.
Now we create security groups with your VPC selection.
Now select your private ec2 and assign the newly created security group and remove the default security group.
Step-7: At this point in time, you have allowed your public machine to access the private machine. To check that please ping your private IP through public machine. This ensures that your public server can access the private server.
Step-8: To do ssh on your private machine you can copy your private key and create a new file in your public machine and paste the key details (myprivateKey.pem). change the permission to 400.
Important: It is not recommended in the production server. instead of a key we should use the Bastions.we need to take care of the complete Hardening of the Baston Host.
Hurray Now you have completely set up your secure VPC, so do you think it is over there is a lot of to do for now just think if you wanna update your private instance then how will you do that because the private machine does not have the internet access.solution is : —
Network Address List (Nat) gateway and Nat Instance. Nat instance is the old approach.it is recommended to use the NAT gateway.
NAT instance is a single instance and NAT gateway is highly available in independent from the instance.NAT instance always behind the security group.
Create a NAT instance and add the web security group that we have used for our public subnet.
Disable the source and destination check in NAT instance.
Now you have a NAT instance which has internet access and we need to link our private subnet with this NAT instance. As we know our private subnet has a default route table and we will be adding NAT instance to that route table.
Login to your Private server using the Web server and try to install anything through the internet.
Now its NAT gateway Turn
Create a NAT gateway under the public subnet and create a new elastic IP.
After creating a NAT gateway go to the default route table and make an entry for NAT gateway and associate with Private subnet.
I hope this helps to configure the secure VPC.
